Changeauditor User Manual

Dell Change Auditor 6.
7
User Guide

2015 Dell Inc.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a
software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the
applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying and recording for any purpose other than the purchasers personal use without the written
permission of Dell Inc.
The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or
otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT
AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO
LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR
INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS
OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of
the contents of this document and reserves the right to make changes to specifications and product descriptions at any time
without notice. Dell does not make any commitment to update the information contained in this document.
If you have any questions regarding your potential use of this material, contact:
Dell Inc.
Attn: LEGAL Dept
5 Polaris Way
Aliso Viejo, CA 92656
Refer to our web site (software.dell.com) for regional and international office information.
Patents
This product is protected by U.S. Patents # 7,979,494; 8,185,598; 8,266,231; and 8,650,578. Additional Patents Pending.
Trademarks
Dell, the Dell logo, GPOADmin, SonicWALL and InTrust are trademarks of Dell Inc. Microsoft, Active Directory, ActiveSync,
Excel, Internet Explorer, Lync, Office 365, OneDrive, Outlook, SharePoint, SQL Server, Windows, Windows PowerShell and
Windows Server are either registered trademarks or trademarks of the Microsoft Corporation in the United States and/or other
countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries. EMC, Celerra, Isilon, VNX,
and VNXe are registered trademarks of EMC Corporation. VMware, ESX, ESXi, and vCenter are registered trademarks or
trademarks of VMware, Inc. in the United States or other countries. Safari and iCloud are registered trademarks of Apple Inc.
Google Drive is a trademark of Google Inc. Amazon Cloud Drive is a trademark of Amazon.com, Inc. or its affiliates. Blackberry
and related trademarks, names and logos are the property of Research In Motion Limited and are registered and/or used in the
U.S. and countries around world. Used under license from Research In Motion Limited. Itanium is a trademark of the Intel
Corporation in the U.S. and/or other countries. Box is a registered trademark of Box. Change Auditor is not affiliated with or
otherwise sponsored by Dropbox, Inc. Other trademarks and trade names may be used in this document to refer to either the
entities claiming the marks and names or their products. Dell disclaims any proprietary interest in the marks and names of
others.
Legend
CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.
WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.
IMPORTANT NOTE, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.
Change Auditor User Guide
Updated - August 2015
Software Version - 6.7
Contents
Dell Change Auditor Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Change Auditor Client Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Start the Change Auditor client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Start Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Manage connection profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Connection wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Client components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Customize table content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Sort data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Resize or move columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Add or remove columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Group data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Filter data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Directory object picker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Agent Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Deployment page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Deploy agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Change the agent installation location and system tray option . . . . . . . . . . . . . . . . . .30
Enable auto deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Refresh or clear Deployment page information . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Overview Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
My Favorite Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Define a favorite search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Overview panes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Event Details pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Searches page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Explorer view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Searches list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Search Properties tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
View a list of available searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Run searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Run a quick search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Search Results and Event Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Search Results page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Dell Change Auditor 6.7
User Guide
Search Results grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46

Search Properties tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
Event Details pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
View search results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Display results in different formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Preview search results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Compare results side-by-side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
View event details or search properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Display events knowledge base entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Email event details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Copy event details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Add comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
View user context and run related searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Add search properties to existing event queries . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Custom Searches and Search Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Create a custom search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Search Properties tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Info tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Who tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
What tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Where tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
When tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Origin tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Alert tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Report tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Layout tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
SQL tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
XML tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Enable Alert Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Alert tab (Search Properties tabs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Enable alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Disable alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Alert History page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
View alert history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
View event details or alert properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Administration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Administration Tasks tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Administration Task lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Export/import Administration Task settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Agent Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
User Guide
Agent Configuration page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

Define agent configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Assign agent configurations to server agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Enable event logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Coordinator Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Coordinator Configuration page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
SMTP Configuration pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Configure email alert notifications/reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Customize alert email content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Group Membership Expansion pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Add groups to Group Membership Expansion list . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Agent Heartbeat Check pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Purging and Archiving your Change Auditor Database . . . . . . . . . . . . . . . . . . . . . 113
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Planning your jobs 115
Purge and Archive page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Create and maintain jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Purge and Archive wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Purge selected records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Who tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
What tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Where tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Origin tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Disable Private Alerts and Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Private Alerts and Reports page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Disable private alerts and reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Generate and Schedule Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Schedule reports for email distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Create global report template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Define report content and layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Enable and schedule reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Launch Report Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Publish reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Publishing reports to the Dell Knowledge Portal . . . . . . . . . . . . . . . . . . . . . . . . 133
Publishing reports to SRS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Print or save a pages contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
SQL Reporting Services Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
SQL Reporting Services Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
SQL Reporting Services Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
User Guide
SQL Reporting Services Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Change Auditor User Interface Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Application User Interface Authorization page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Add task definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Add role definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Add application group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Enable/Disable Event Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Audit Events page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Enable/disable event auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Modify events severity level or event class description . . . . . . . . . . . . . . . . . . . . . . 149
Define events to be captured based on results . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
View event information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Account Exclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Excluded Accounts Auditing page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Excluded Accounts templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Excluded Accounts wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
VMware Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
VMware Auditing page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
VMware Auditing templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
VMware Auditing wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
VMware events polling interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Registry Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Registry Auditing page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Registry Auditing templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Registry Auditing wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Service Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Services Auditing page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Service Auditing templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Service Auditing wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Agent Statistics and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Agent Statistics page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Agent Statistics grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Resource Properties pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Agent system tray icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
User Guide
Change Auditor Agent Status dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

View agent status/statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Manage Change Auditor agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Agent Log page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
View and save agent trace logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Coordinator Statistics and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Coordinator Statistics page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Coordinator system tray icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Change Auditor Coordinator Status dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Coordinator Configuration tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
View coordinator status/statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Manage Change Auditor coordinators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Coordinator Log page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
View and save coordinator trace logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Change Auditor Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Menu commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Tool bar buttons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Right-click commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Change Auditor Email Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Change Auditor PowerShell Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Adding the PowerShell Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Viewing available commands and help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Installing Change Auditor coordinators and web clients . . . . . . . . . . . . . . . . . . . . . . 234
Install-CACoordinator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Install-CAWebClient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Finding Change Auditor installations and coordinators . . . . . . . . . . . . . . . . . . . . . . . 235
Find-CAInstallations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Find-CACoordinators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Find-CASuitableCoordinator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Connecting to and disconnecting from Change Auditor installations and coordinators . . 236
Connect-CAClient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Disconnect-CAClient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Gathering Change Auditor system information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Get-CACoordinator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Get-CACoordinators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Get-CAInstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Get-CAAgents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Deploying Change Auditor agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Install-CAAgent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Uninstall-CAAgent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Update-CAAgent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
About Dell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
User Guide
Contacting Dell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

Technical Support Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

User Guide
1
Dell Change Auditor Overview
Dell Change Auditor provides total auditing and security coverage for your enterprise network. Change Auditor
audits the activities taking place in your infrastructure and, with real-time alerts, delivers detailed information
about vital changes and activities as they occur. Instantly know who made the change including the IP address of
the originating workstation, where and when it occurred along with before and after values. Then automatically
turn that information into intelligent, in-depth forensics for auditors and management -- and reduce the risks
associated with day-to-day modifications.
Audit all critical changes across your enterprise including Active Directory, Exchange, Windows File
Servers, NetApp, EMC, SQL Server, VMware vCenter, SharePoint, and Microsoft Lync.
Track cloud storage and data consumption activity by auditing the use of Dropbox, Dropbox for
Business, Box, and OneDrive.
Collect user logon and logoff activity for regulatory compliance and user activity tracking.
Automate ongoing compliance with tracking and reporting for best practices and regulatory compliance
mandates for SOX, PCI-DSS, HIPAA, FISMA, GLBA and more.
Speed troubleshooting through real-time insight into changes with a comprehensive audit library
including built-in audit alerts, reports and powerful searches.
Proactively protect (lock down) critical Active Directory objects, Exchange Mailboxes and Windows files
and folders from harmful changes that could open security holes or cause resources to become
unavailable.
Modular approach allows separate product deployment and management for key environments including
Active Directory, Exchange, Windows File Servers, NetApp, EMC, SQL Server, Active Directory Query,
SharePoint, Logon Activity, and Lync.
Integrate with other Dell products to track, audit, report and alert on critical changes made using Dell
One Identity Authentication Services, Dell One Identity Defender, and Dell SonicWALL.
Dell Change Auditor for Active Directory

Change Auditor for Active Directory drives the security and control of Active Directory by tracking vital
Active Directory configuration changes in real-time. Change Auditor tracks, audits, reports and alerts on
the changes that impact your directory, including changes to users, groups, nested groups, GPOs,
computers, services, registry, local users/groups and DNS - without the overhead costs of native
auditing.
In addition, Change Auditor for Active Directory allows you to lock down critical Active Directory, ADAM
(AD LDS) and Group Policy objects, to protect them from unauthorized or accidental modifications or
deletions.
Dell Change Auditor for Exchange

Change Auditor for Exchange simplifies the audit process by tracking the activities taking place in your
entire Exchange environment, then providing real-time, detailed alerts about vital changes that occur.
Includes over 300 Exchange events covering owner and non-owner mailbox changes, server
configurations and permissions, and more. Continually being in-the-know helps you to prove compliance,
drive security, and improve uptime while proactively auditing changes to Exchange Server configurations
and permissions.

User Guide
Change Auditor for Exchange can also provide additional protection over important mailboxes. The
Exchange Mailbox protection feature prevents unwanted access to Exchange mailboxes, making it much
more difficult for rogue administrators to access critical mailboxes.
Dell Change Auditor for Windows File Servers

Change Auditor for Windows File Servers enables administrators to achieve the comprehensive auditing
coverage of native tools without the mass of cumbersome data that native event logs generate. Includes
auditing of Microsoft Windows file server activity related to files and folders, shares and changes to
permissions. Granular selection allows the auditing scope to be set on an individual file or folder as well
as the entire subtree recursive or non-recursive. Change Auditor for Windows File Servers also allows you
to include or exclude certain files or folders from the audit scope in order to ensure a faster and more
efficient audit process.
Change Auditor for Windows File Servers also provides an access control model that permits Change
Auditor Administrators to protect business-critical files and folders on the file server.
Dell Change Auditor for EMC

Change Auditor for EMC tracks, audits, reports and alerts on EMC Celerra/VNX file and folder changes
in real time, translating events into plain English and eliminating the time and complexity required by
native auditing. Granular selection allows the auditing scope to be set on an individual file, folder, or
volume as well as all volumes. Change Auditor for EMC also allows you to include or exclude certain files
or folders from the audit scope in order to ensure a faster and more efficient audit process.
Dell Change Auditor for NetApp

Change Auditor for NetApp tracks, audits, reports and alerts on NetApp filer file and folder changes in
real time, translating events into plain English and eliminating the time and complexity required by
native auditing. The auditing scope can be set on an individual file, folder, or volume as well as all
volumes. Change Auditor for NetApp also allows you to include or exclude certain files or folders from
the audit scope in order to ensure a faster and more efficient audit process.
Dell Change Auditor for SQL Server

Change Auditor for SQL Server provides database auditing to secure SQL database assets with extensive,
customizable auditing and reporting for all critical SQL changes including broker, database, object,
performance, and transaction events, plus errors and warnings. Change Auditor for SQL Server helps
tighten enterprise-wide change and control policies by tracking user and administrator activity such as
database additions and deletions, granting and removing SQL access.
SQL Data Level auditing allows you to audit changes to databases and tables. Separate SQL Data Level
auditing templates must be defined for each target database to be audited by Change Auditor.
Dell Change Auditor for Active Directory Queries

Change Auditor for Active Directory Queries (formerly known as ChangeAuditor for LDAP) monitors
directory access across all domain controllers in the environment and aggregates that information in a
central database identifying LDAP-enabled applications and how they use Active Directory. The LDAP
access data gathered by Change Auditor for Active Directory Queries can then be used during Active
Directory forest migration and restructuring projects.
Dell Change Auditor for SharePoint

Change Auditor for SharePoint provides centralized auditing, including configuration, event collection
and reporting, for Microsoft SharePoint 2010 and SharePoint 2013 servers and farms. It provides built-in
queries and reports that focus on auditing the following areas:
access to content in SharePoint sites

User Guide
10
modifications of content (creation, modification and deletion)
changes to permissions and security settings
Dell Change Auditor for Logon Activity

The Dell Change Auditor for Logon Activity auditing module has removed the dependency on Dell
InTrust and the Change Auditor Data Gateway Service to capture user logon activity. This auditing
module consists of two licenses (one for server agents and another for workstation agents) and may be
used to collect logon activity events for regulatory compliance and user activity tracking.
The Dell Change Auditor for Logon Activity User license enables server agents to audit
authentication activity, domain controller authentication activity (Kerberos), and user logon
session activity (the actual time spent on a server).
The Dell Change Auditor for Logon Activity Workstation license enables workstation agents to
audit authentication activity and user logon session activity (the actual time spent on a
workstation).
Dell Change Auditor for Lync
Many enterprises are adopting Microsoft Lync as a standard IM and meeting client; therefore,
monitoring and managing changes in Lync has become critical. The Dell Change Auditor for Lync module
audits configuration and security setting changes in on-premise deployments of Microsoft Lync Server
2010 and 2013, providing real-time change notifications for items sourced in Active Directory.
Dell Change Auditor for Cloud Storage

IT departments today are at the whim of the latest cloud storage application or vendors. Users can easily
take corporate data and store it on the cloud. To facilitate the management of this, Change Auditor
automatically monitors the following cloud storage providers if installed: Dropbox, Dropbox for
Business, Box, and OneDrive (Skydrive).
In addition, Change Auditor provides auditing for the following Dell products:
Dell Change Auditor for SonicWALL

Dell Change Auditor for SonicWALL is an automated auditing module that allows you to collect data on
internet traffic traversing SonicWALL Next-Gen (NG) Firewall devices.
Dell Change Auditor for Dell Authentication Services

Dell One Identity Authentication Services is patented technology that enables organizations to extend
the security and compliance of Active Directory to Unix, Linux and Mac platforms and enterprise
applications. Leveraging Change Auditor for Authentication Services, users of Authentication Services
can now track, audit, report and alert on all critical changes to:
Unix/Linux/Mac-related data for Active Directory users, groups, computers, NIS objects and
Authentication Services personalities
Unix/Linux/Mac settings in Group Policy Objects
Dell Change Auditor for Defender

Dell One Identity Defender enhances security by enabling two-factor authentication to network, Web,
and applications-based resources. Defender was designed to base all administration and identity
management on an organizations existing investment in Active Directory and eliminates the costs and
time involved in setting up and maintaining proprietary databases. Change Auditor for Defender tracks
changes to user accounts enabled with Defender tokens in Active Directory.
With 24x7 real-time alerts and in-depth analysis and reporting capabilities, your infrastructure is always
protected from exposure to suspicious behavior or unauthorized access and kept in compliance with
corporate and government standards.
User Guide
11
NOTE: The Dell Change Auditor User Guide explains the core functionality available in Change Auditor
regardless of the product license that has been applied. In addition, there are separate user guides
available that describe the additional functionality added to Change Auditor when the different auditing
modules are licensed. The supplemental user guides include:
Dell Change Auditor for Active Directory User Guide
Dell Change Auditor for Active Directory Queries User Guide
Dell Change Auditor for EMC User Guide
Dell Change Auditor for Exchange User Guide
Dell Change Auditor for Logon Activity User Guide
Dell Change Auditor for NetApp User Guide
Dell Change Auditor for SharePoint User Guide
Dell Change Auditor for SonicWALL User Guide
Dell Change Auditor for SQL Server User Guide
Dell Change Auditor for Windows File Servers User Guide
Dell Change Auditor for Cloud Storage User Guide

User Guide
12
2
Change Auditor Client Overview
Start the Change Auditor client
Manage connection profiles
Client components
Customize table content
Filter data
Directory object picker
Start the Change Auditor client

The following conditions must be met for a client to properly connect:
Communications are successful, meaning the coordinator service is running and has a valid SCP listening
port (no firewall implications). If this condition fails, the Change Auditor client will display an error
dialog stating the appropriate issue.
The current authenticated user running the Change Auditor client has the proper credentials for
accessing the Change Auditor coordinator service. If this condition fails, the client will display the
Coordinator Credentials Required dialog allowing you to enter the proper logon credentials to access the
Change Auditor coordinator.
The current authenticated user is a member of either the ChangeAuditor Administrators or

ChangeAuditor Operators AD group. If this condition fails, the Change Auditor logon screen will display
an error and credential text boxes for entering the appropriate credentials.
When using a direct database connection, the current authenticated user running the Change Auditor
client has the proper SQL credentials for accessing the SQL database. If this condition fails, the client
will display the Database Credentials Required dialog allowing you to enter the proper logon credentials
to access the SQL database.
To open the Change Auditor client

1
Select Start | All Programs | Dell | Change Auditor | Change Auditor Client.
The Connection screen appears allowing you to connect to the default connection profile or
define/specify a different connection profile.
A connection profile defines the connection method used to connect to a Change Auditor coordinator in
trusted or untrusted forests, or to the database directly without connecting with the Change Auditor
coordinator. See Manage Connection Profiles in the Dell Change Auditor User Guide for more
information on defining connection profiles.
Initially, select the Connect button to use the default connection profile.
After you have defined alternate connection profiles, select the appropriate profile from the drop-down
list and click Connect.
If you do not have the proper credentials required for access, the credentials dialogs will be displayed
allowing you to enter the required credentials.
The first time the client is opened, you will be presented with the Start page which provides up-to-date
product information.
User Guide
13
Select the Deployment page to deploy Change Auditor agents. This page may initially be empty until the
current forests server topology has been initially harvested. This page will be automatically refreshed
once this task has completed.
NOTE: Topology scan takes a long time when the environment contains a large number of
workstations.
Once agents are deployed and you launch the Change Auditor client, you will be presented with the
Overview page, which provides a real-time stream of events based on a favorite search definition as
well as other valuable summary information about the application.
Start Page
From the Start page you can view and access relevant information regarding Change Auditor including news and
updates, support and knowledge base content, online documentation (release notes and guide), links to the
latest releases, and essential contact links.
If you do not want to see this page each time that you open the client, then clear the Display this page each
time I log in option. One this option has been cleared, the next time you log in you will be directed
automatically to the Overview page. However, we suggest you keep the Start page active as it will contain the
most up-to-date access to the supporting information you may require.
Manage connection profiles

Change Auditor allows you to manage Change Auditor in the same forest or in a different forest from a single
Change Auditor client. With cross-forest support, you can connect to the coordinator service or the database in
many ways.
Change Auditor provides the ability to define connection profiles which can then be used to connect to a Change
Auditor coordinator in trusted or untrusted forests, or to connect to the database directly without connecting
with the Change Auditor coordinator.
To define a new connection profile

1
On the Connection screen, click the Manage button.
The Manage Connection Profiles dialog appears. On this dialog, click the Add button to launch the
Connection wizard, which will step you through the process of defining a new profile.
NOTE: Previously defined connection profiles (e.g., the default connection profile and any user
defined connection profiles) are listed at the top of this dialog allowing you to review the details of
each connection profile and edit any user defined profiles.
On the Change Auditor Environment page of the wizard, select the connection method to be used. The
connection methods available include:
Forest - use this method to connect to a coordinator in a trusted forest. Enter the DNS name of
the forest.
Global Catalog - use this method to connect to a coordinator in an untrusted forest. Enter the
name or IP address of the global catalog to be used.
Manual - use this method to connect to a Change Auditor coordinator server located in a different
Active Directory
forest than the client.
Database Direct - use this method to bypass the coordinator and connect directly to the Change
Auditor database (i.e., use this method to connect to an archived 6.x database).
NOTE: The access role will be as an operator with read-only privileges when using the
Database Direct connection method; therefore, the Administration Tasks tab is not
available in the Change Auditor client.
User Guide
14
Depending on the connection method selected, enter the requested information on the Connect to
Change Auditor Coordinator page:
Forest - select the Service Connection Point (SCP) to be used to connect to the coordinator.
Global Catalog - select the SCP to be used. To override the coordinator service DNS, you can enter
the IP address and port number assigned to the coordinator.
Manual - enter the fully-qualified domain name or IP address (IPv4 or IPv6) of the server where
the coordinator resides and specify the port number assigned to the coordinator.
NOTE: If the coordinator host cannot be resolved by DNS (e.g., if the coordinator service is
running under a service account instead of Local System) you must enter the IP address of
the server where the coordinator resides.
Database Direct - use the Browse button to select the SQL instance and Change Auditor database.
NOTE: If the current authenticated user does not have the proper SQL credentials to access
the selected database, the Database Credentials Required dialog appears allowing you to
enter logon credentials to access the selected SQL database.
On the Connection Profile Summary page, review the connection profile details, name the profile and
click the Test button to test the new connection profile. Click the Finish button to save the connection
profile and close the Connection wizard.
On the Manage Connection Profile dialog, the new connection profile will be added to the list. Click Save
to save the new profile and close the Manage Connection Profile dialog.
To use this new connection profile, select it from the drop-down list on the Connection screen and click
the Connect button.
If you do not have the proper credentials required for access, the appropriate credentials dialogs will be
displayed allowing you to enter the appropriate credentials.
Connection wizard
The Connection wizard is launched when the Add button at the bottom of the Manage Connection Profiles dialog
is clicked. This wizard steps you through the process of defining a new connection profile.

User Guide
15
Table 1. Connection wizard

Change Auditor Environment page
Select one of the following connection methods. Depending on the option selected, additional information will
be requested on this or subsequent pages.
NOTE: If logon credentials are required for access, the appropriate credentials dialog will be displayed
allowing you to enter the appropriate credentials.
Forest
Select this option to locate a Change Auditor service in a trusted forest. By default
the local forest will be displayed; however, you can enter the DNS name of a
different trusted forest that has access to a DNS server and can be resolved.
NOTE: You cannot enter an IP address in this field.
Global Catalog
Select this option to connect to a Change Auditor service in an untrusted forest

and enter the name or IP address of the global catalog to be used.
NOTE: You must use SQL authentication when connecting to an untrusted forest.
Manual
Select this option to manually specify the fully-qualified domain name or the IP
address of the server where the coordinator resides and the port number assigned
to the coordinator.
Database Direct
Select this option to connect to the Change Auditor database directly, without
going through the coordinator, and enter the requested information.
NOTE: Use the Database Direct method to connect to an archived 6.x Change
Auditor database.
An additional page will be displayed requesting the following information:
Change Auditor Server (\SQL Instance) - Enter or use the Browse button to
select the server (name or IP address) and the SQL instance for the Change
Auditor database.
Change Auditor Database - Enter the name of the Change Auditor database.
NOTE: When using the Database Direct option, the Administration Tasks tab is not
available in the Change Auditor client.
Connect to Change Auditor Coordinator page
This page is displayed after you have selected the connection method to be used. The information required to
be entered on this page is based on the connection method selected on the previous page.
Service Connection Point
When the Forest or Global Catalog options are selected on the previous page, this
list displays the Service Connection Points (SCPs) available for use. Select the SCP
to be used from this list.

User Guide
16
Table 1. Connection wizard

Coordinator DNS/IP
Address
If you selected the Global Catalog option and want to override the coordinator
service DNS, enter the IP address (IPv4 or IPv6) of the server where the coordinator
resides.
If you selected the Manual option on the previous page, enter the fully-qualified
domain name or IP address (IPv4 or IPv6) of the server where the coordinator
resides.
NOTE: If the coordinator host cannot be resolved by DNS (e.g., if the coordinator
service is running under a service account instead of Local System) you must enter
the IP address of the server where the coordinator resides.
Coordinator Port
If you selected the Global Catalog option and entered the IP address to override
the coordinator server DNS, enter the port number assigned to the coordinator.
If you selected the Manual option on the previous page, enter the port number
assigned to the coordinator.
NOTE: You can obtain the port number assigned to a coordinator using the
coordinator log file or Coordinator Status dialog (coordinator system tray icon).
Connection Profile Summary page

This is the last page of the Connection wizard where you can review the connection profile details, name your
profile and/or test your new connection profile.
Profile Summary
This portion of the page displays the settings defined on the previous pages of the
wizard. The content will depend upon the connection method selected. The
information displayed may include:
Connection method
Coordinator
Port
SPN
Change Auditor coordinator server/instance
Connection Profile Name
Enter a descriptive name to be assigned to the new connection profile.
Test
Click this button to test the connection as defined in the connection profile.
Client components
Once a successful connection has been established, the client will be displayed. The Change Auditor client
contains the following main components:
Title Bar - is located across the top of the screen and displays the name of the forest and installation
name to which you are currently connected.
Menu Bar - is located directly below the title bar and displays the menus for accessing Change Auditor
commands. Please refer to the Change Auditor Commands appendix for a description of the menu bar
commands available.
File Menu - use the File Menu commands to connect to or disconnect from a Change Auditor
coordinator, print the currently displayed content, open client logs, or exit the Change Auditor
client.
Edit Menu - use the Edit Menu commands to manage your searches and folders on the Searches
page.
User Guide
17
Action Menu - use the Action Menu commands to refresh or reset a page, autofit columns, display
the XML or SQL tabs, enable/disable the auto connect feature or enable/disable the desktop
notification messages.
View Menu - use the View Menu commands to display a different Change Auditor page.
Help Menu - use the Help menu commands to display the online help, retrieve general
information about this release, send feedback about using the product or collect system logs for
troubleshooting purposes.
Tabbed Pages - are displayed below the menu bar and are used to navigate through Change Auditor. The
pages that can be displayed, include:
Use the Start page to view and access relevant information regarding Change Auditor including
news and updates, support and knowledge base content, online documentation (release notes
and guide), links to the latest releases, and essential contact links.
Use the Deployment page to deploy, upgrade or uninstall Change Auditor agents from a single
location.
The Overview page provides a real-time stream of events based on a favorite search definition.
It also contains statistics about the events and the status information for the Change Auditor
agents and the Change Auditor coordinator.
The Searches page contains a list of all the searches available. From this page you can run a
search, create a customized search, enable/disable alerting and reporting for a search query.
A new Search Results page is created whenever a search is run. These pages contain a list of the
events returned as a result of the selected search. From this page, you can also view the details
of an event or the search properties used to return the displayed events.
The Alert History page is displayed when the Alert | History right-click command is selected for
an alert-enabled search definition on the Searches page and includes details regarding the events
that triggered the selected alert.
A new Report page is created whenever the Preview Report tool bar button is used on the Report
tab (Search Properties tabs) for a search query. The Report page displays a rendering of the
events returned as a result of the selected search.
A new Log page is created whenever one of the View Logs commands are selected and displays
the event details recorded in the selected log.
The Agent Statistics page displays status and statistics for all installed agents.
The Coordinator Statistics page displays status for all installed coordinators.
The Administration Tasks tab allows you to perform a variety of administration tasks. Use the
navigation pane in the left-hand pane to select the administrative task to be performed. Refer to
Administration Tasks for an overview of the tasks that can be performed using the Administration
Tasks tab and the product license required to perform these tasks.
Customize table content

The contents of the various data grids displayed in the Change Auditor client can be sorted, rearranged and
grouped using the simple utilities provided in Change Auditor. You can perform the following tasks to customize
the content in the data grids displayed within the Change Auditor client:
Sort data
Resize or move columns
Add or remove columns
Group data

User Guide
18
Sort data
An arrow in the column heading identifies the sort criteria and order, ascending or descending, being used to
display information.
To change the sort criteria:

1
Click on the column heading to be used for the sort criteria.
The sort order will be in ascending order, but can be changed to descending order by clicking on the
heading a second time.
To specify a secondary sort order, SHIFT + click in the heading of the column to be used for the secondary
sort order.
Resize or move columns

Columns can also be resized or moved within a data grid.
To resize a column:
1
Place your cursor on the boundary between column headings (your cursor will change to a doublearrow).
Click and hold the left mouse button dragging the column boundary to the desired size.
To change the order of the columns in the table:

1
Use the left mouse button to click the heading to be moved (the column heading will pop off the table).
Drag that column heading to the desired location in the table (arrows will indicate where you are placing
the selected column).

User Guide
19
Add or remove columns

Change Auditor displays a default set of columns for the different pages displayed. You can however display
additional data or hide a particular column.
To add or remove columns:

1
Click the
button to the far left of the column headings.
The Field Chooser dialog appears which lists all of the data (columns) available for display.
From this dialog, select the columns to be displayed and clear the columns you do not want displayed.
NOTE: For each individual search, you can select the data to be retrieved and displayed in the
client using the Layout search properties tab. From this tab you can also define column order, sort
criteria and order, groupings and the format to be used for displaying the retrieved data.
Group data
In addition, you can group data to create a collapsed view that can be expanded to view the detailed
information that applies to that group.
To group data:
1
Select a column heading (the column heading will pop off the table) and drag that column heading to the
space above the table. For example, use the left mouse button to click the Subsystem heading and drag
that column heading to the space above the table.
Optionally, repeat this step to select additional headings to create a hierarchy of groupings.
This will collapse the table and display the groupings that can be expanded to view the detailed
information that applies to that group, as shown below.

User Guide
20
To expand a group and display the individual events listed, click on the + sign to the left of the label.
When a grouping is in place, you can use the Pie Chart or Bar Graph icons, located at the top of the grid,
to redisplay the data.
NOTE: The pie chart and bar graph displays are only available when a single level grouping has
been applied to the data grid.
In either of these views, use the Data Grid icon to redisplay the data in the grid format.
To remove a grouping, select the heading and drag it back down into the table area or right-click a group
heading (in area above the grid) and select one of the remove commands.
Filter data
Traditional search capabilities provide the first phase of drilling down on details you may be seeking, but
locating individual events typically requires more granular search capabilities and additional steps. Change
Auditor provides advanced filtering options that allow you to modify the results of a search without changing
the original search. With this capability, filtering can be performed on one or more columns of a result,
ultimately reducing the need to build the same search multiple times with minor customizations.
To filter data:
Throughout the client, you will see a row of data filtering cells under the headings row in each of the data grids.
These cells provide data filtering options which allow you to filter and sort the data displayed.
Place your cursor in one of these cells, and click the Click here to filter data...
In the selected cell, enter the word or string of characters to be used to filter the data displayed.
Filtering will take place as you type your entry.
By default, Change Auditor will use either the starts with or contains expression to filter the data.
However, if you click the search criteria button (
expression.
in diagram above), you can select a different
To remove the filtering and return to the original data grid, click the Remove Filter button (
far left of the cells.
) to the
To remove the filtering of an individual cell, click the Remove Filter button to the right of that cell.
To create a custom filter:

When you place your cursor in a data filtering cell, a drop-down arrow appears to the right of this cell. This
drop-down displays all of the items available for selection, including (Custom), (Blanks), and (NonBlanks).
Selecting an item from this list will display entries based on the item selected.
1
To create a custom filter, place your cursor in the cell beneath the column to be filtered. Click the arrow
control and select (Custom).
The Custom Filter dialog appears.

User Guide
21
Select the appropriate option in the Filter based on <All | Any> of the following conditions.
Select All if all the criteria entered has to be met in order to be included.
Select Any if only one of the criteria entered has to be met in order to be included.
In the field to the right of the column heading, click the arrow control to select the comparison
operation to be used (e.g., Like, Equals, Contains, etc.).
In the field to the right of the comparison operator, enter the pattern (character string or value) to be
used to search for a match.
Use the * wildcard character to match any string of zero or more characters. For example, entering LIKE
*change* in the Event column, will find events that contain the string change, e.g., changed, Change
Auditor, etc.
To add additional criteria, click the Add button. Clicking this button adds a new row to the custom filter
allowing you to specify additional criteria for the selected column.
Once you have created the custom filter, click the OK button to close the dialog and filter the data based
on the criteria entered.
The following procedures walk you through a few scenarios using the custom filtering feature.
To find events generated when a member is added to a group:

1
Run the All Events search.
On the Search Results page, place your cursor in the data filtering cell of the Event column, click the
arrow control and select (Custom).
Select All.
Specify the following criteria:
Contains | group
Contains | added
Does not contain | group policy
Click OK.
To find delete object operations related to a forest container:

1
Run the All Events search.
On the Search Results page, place your cursor in the data filtering cell of the Action column, click the
arrow control and select (Custom).
Select All.
Specify the following criteria:
Contains | delete
Contains | object
Click OK.
On the Search Results page, place your cursor in the data filtering cell of the Facility column and enter:
forest.
Directory object picker

Throughout the Change Auditor client, you will encounter the directory object picker which allows you to locate
and select a directory object from your environment. This object picker appears in either a stand alone dialog
(e.g., Select Active Directory Objects dialog) or as a page in a wizard and consists of the following tabbed
pages:
User Guide
22
Browse - use the Browse page to select a directory object from a hierarchical view of your environment
Search - use the Search page to search your environment to locate and select a directory object
NOTE: Disabled objects on these two pages are represented by a red X icon.
Options - use the Options page to view or modify search options used to retrieve directory objects
To browse for a directory object:

1
Open the Browse page.
In the Find field, either enter or use the drop-down menu to select the type of directory objects to be
displayed.
You can enter multiple classes, separated by either a comma or semi-colon. Note that when you type in
an entry, you must use the Enter key or the Apply Filter button to display the objects.
NOTE: Most of the time, this field will be automatically filled in with the appropriate entry. Thus,
when this field is grayed out, this is a read-only field which cannot be changed.
In the explorer view (left pane), single-click on the expansion state box to the left of a container or
double-click a container to expand the view to display subordinate objects.
Select a container in this pane to populate the object list (right pane) with the objects that belong to
the selected container.
NOTE: Right-clicking the root domain in the explorer view will display a drop-down menu listing
any peer domains. To view a different domains objects, select the desired domain from those
listed.
Use the F5 button to force a refresh of the contents of this pane.
In the object list, click on the object to highlight it and use the Add button to add it to the Selected
Objects list at the bottom of the dialog.
NOTE: The Selected Objects list is used for both the Browse and Search pages and will contain the
objects selected from either of these pages.
Once you have added objects to this list, use the Select button to save your selection and close the
dialog. Or if the directory object picker is part of a wizard, click Next to save your selection and
continue.

User Guide
23
To search your environment to locate a directory object:

1
Open the Search page and use the controls at the top of the page to search your environment to locate
the desired object(s).
In the Find field, either enter or use the drop-down menu to select the type of directory object to be
located.
You can enter multiple classes, separated by either a comma or semi-colon. Note that when you type in
an entry, either click the Enter key or use the Search button to display the objects.
NOTE: Most of the time, this field will be automatically filled in with the appropriate entry. Thus,
when this field is grayed out, this is a read-only field which cannot be changed.
In the Name field, specify a search expression to be used to search Active Directory to locate a
particular object. In most cases, this field will contain an asterisk (*) indicating to search for all objects
of the type specified in the Find field.
Select the ANR check box to use Ambiguous Name Resolution (ANR) as the search algorithm, which
allows you to enter limited input (partial data) to find multiple objects in your network.
When the ANR check box is checked, use one of the following methods to enter your search expression:
Enter a partial string to return exact matches or a list of possible matches. For example, entering
Admin will return objects that contain the names Admin, Admins, Administrator,
Administrators, etc.
Enter a string preceded by the equal sign (=Admins) to return only exact matches. For example,
entering =Admin will return only those objects containing the name Admin.
By default, ANR will search the following attribute fields in Active Directory:
First Name (GivenName)
Last Name (Surname)
Display Name (displayName)
LegacyExchangeDN
msExchMailNickname
Relative Discontinued Name of the object (RDN)
Office (physicalDeliveryOfficeName)
Email address (proxyAddress)
Security Account Manager account (sAMAccountName)

User Guide
24
When the ANR check box is not checked, the search expression entered will be used to search only the
Display Name of directory objects to locate a particular object.
To use this search mechanism, enter a string of characters and the wildcard (*) character as described
below.
n* will return objects that start with the letter n
*n will return objects that end in the letter n
*n* will return objects that contain the letter n within their Display Name.
After entering a search expression, use the Search button to initiate the search and return the results of
the search.
The object list displays the objects found as a result of your search. To select an object, click on the
object to highlight it and use the Add button to add it to the Selected Objects list.
NOTE: The Selected Objects list is used for both the Browse and Search pages and will contain the
objects selected from either of these pages.
Once you have added objects to this list, use the Select button to save your selection and close the
dialog. Or if the directory object picker is part of a wizard, click Next to save your selection and
continue.
To view or modify the search options to be used to retrieve directory objects:

1
Open the Options page and modify the options as required.

NOTE: The settings on the Options page only apply to the current user and will not impact other
users using a Change Auditor client.
The Search Limit field specifies the maximum number of records to be returned for any given search.
The default is 2000 records.
To change this limit, enter a value between 100 and 9999.
Or to allow an unlimited number of records to be returned, select the No Search Limit check box.
The Page Size field displays the maximum number of records to be returned per LDAP polling cycle.
TIP: Care should be taken when modifying this value, because it could impact the performance of
your searches.
Once you have made changes on the Options page, use the Select button to save your selection and close
the dialog. If the directory object picker is part of a wizard, click Next to save your selection and
continue.

User Guide
25
3
Agent Deployment
Introduction
Deployment page
Deploy agents
Change the agent installation location and system tray option
Enable auto deployment
Refresh or clear Deployment page information
Introduction
The Deployment page in the Change Auditor client displays all the servers and workstations discovered in your
Active Directory environment. From this page you will specify the servers and workstations (if the Change
Auditor for Logon Activity Workstation license is applied) to host a Change Auditor agent.
NOTE: The first time the Change Auditor client is launched, you will be presented with the Deployment
page to deploy Change Auditor agents. Once agents are deployed, the Overview page will be displayed
whenever the Change Auditor client is launched.
Deployment page
The Deployment page in the Change Auditor client allows you to install and configure the Change Auditor agents
from a single location. This page contains a list of the servers and workstations that are joined to the domain to
which an agent can be deployed.
NOTE: The Deployment page will not display non-member objects, such as ADAM workgroup servers or
non-Active Directory workstations, because agents cannot be deployed to non-member objects using the
Deployment tab. See the Dell Change Auditor Installation Guide for more information on manually
installing agents to workgroup servers or non-Active Directory workstations.

User Guide
26
The Deployment page may contain the following information for each server/workstation discovered in your
Active Directory forest. The default column of the following table indicates those fields that are displayed by
default. To display different fields, click the Field Chooser button
headings and select the columns to be displayed.
located to the far left of the column
Table 2. Deployment page: Field descriptions

Column
Default
Description
Agent Status
Yes
Displays the current deployment status:
Active
Inactive
Pending
Copying Files
Executing Installer
Uninstalled
Coordinator
No
Displays the computer name of the Change Auditor coordinator to which

the agent is connected.
Creds
Yes
Indicates whether user credentials have been entered for the selected
domain. To enter the credentials to be used to install agents on a
domain, use the Credentials tool bar button or right-click command.
Deployment Result
Yes
Indicates the status of the last deployment task:
Success - agent was successfully deployed
Valid Creds - user credentials have been verified; you can

schedule a deployment task
Access Denied - user credentials are not valid; use the

Credentials command to enter the proper user credentials for
installing an agent on the selected domain
The target version is already installed - no action required.
NOTE: You can use the Clear Results right-click command to clear the
entry in this column for the selected server.
DN
No
Displays the distinguished name of a server. (This is the path to the

server in the Active Directory schema.)
DNS Name
No
Displays the DNS name of a server.
Domain
Yes
Displays the name of the domain where a server is located.
Exchange Server
No
Indicates whether Exchange is installed on a server.
Forest
No
Displays the name of the forest where the agent resides.
GC
No
Indicates whether the server is a Global Catalog server.
Installation
No
Displays the installation name assigned to the coordinator to which the

agent is connected.
IP Address
No
Displays the IP address of a server.
Name
Yes
Displays the NetBIOS name of a server.
Operating System
No
Displays what version of the operating system is running on a server.
Site
No
Displays the name of the site where a server resides.

User Guide
27
Table 2. Deployment page: Field descriptions

Column
Default
Description
Type
No
Displays the type of server:
Server - member servers joined to the domain
Domain Controller - domain controllers joined to the domain
Global Catalog - domain controller servers designated as Global

Catalog servers
Workstation - workstations that are joined to the domain
NOTE: Non-member objects are not included in the Deployment tab

because you cannot use this tab to deploy agents to workgroup servers
or non-Active Directory workstations. See the Dell Change Auditor
Installation Guide for more information on deploying agents to
workgroup servers or non-Active Directory workstations.
Version
Yes
Displays the version number of the Change Auditor agent currently

installed on a server.
When
No
Displays the date and time for a scheduled deployment task. That is,
the date and time entered on the Install or Update dialog (or Uninstall
dialog) when the When option is selected.
NOTE: Based on the clients current local date and time. The format
used to display this date and time is determined by the local machines
regional and language setting.
Workstation
No
Indicates whether the agent is a workstation agent used for capturing

user logon activity when the Change Auditor for Logon Activity
Workstation auditing module is licensed and cloud storage activity when
the Change Auditor for Cloud Storage auditing module is licensed.
In addition to selecting the fields to be displayed in the grid, you can use the drop-down controls above the grid
to define what type of machines are to be displayed on the Deployment page.

User Guide
28
The following table describes how to use these controls to filter the content displayed on the Deployment page.
Table 3. Deployment page: Filter controls
Control
Description
Type
Use the left-most control to specify the type of Active Directory objects to be
included in the display:
All - select to display all domain controllers, member servers and

workstations in the forest, domain or site
DCs - select to display the domain controllers in the forest, domain or site
Servers - select to display the servers in the forest, domain or site
Workstations - select to display the workstations in the forest, domain or

site
NOTE: Non-member objects are not included in the Deployment tab because you
cannot use this tab to deploy agents to workgroup servers or non-Active Directory
workstations. See the Dell Change Auditor Installation Guide for more
information on deploying agents to workgroup servers or non-Active Directory
workstations.
Active Directory view
By default, the Deployment page provides a forest view of the servers found.
However, you can use the right-most controls to limit your view to an individual
domain or site.
Use the middle control to select the Active Directory view (forest, domain or site)
then use the right-most control to select an individual forest, domain or site for
which servers/workstations are to be displayed.
Deploy agents
To deploy Change Auditor agents:
1
Verify that the user account you will be using to deploy agents is at least a Domain Admin in every
domain that contains servers/workstations where agents are to be deployed.
Verify that the user account is also a member of the ChangeAuditor Administrators group in the specified
Change Auditor installation.
Open the Change Auditor client. The Deployment page will automatically be displayed if agents have not
yet been deployed. Otherwise, use View | Deployment to open the Deployment page.
The Deployment page will be populated with the servers (domain controllers and member servers) and
workstations discovered in your Active Directory environment.
NOTE: The Deployment page may initially be empty until the current forests server topology has
been initially harvested. This page will be automatically refreshed once this task has completed.
From this list, select an entry and use the Credentials | Set tool bar button or right-click command to
enter the proper user credentials for installing agents on the selected domain.
On the Domain Credentials dialog, select the domain from the list and click the Set button. On the Logon
Credentials dialog enter the credentials of a user with administrator rights on the selected domain.
After entering the proper credentials, select the entry back on the Deployment page and select
Credentials | Test from the tool bar or right-click menu. If you get a Valid Creds status in the
Deployment Result column, you can start deploying agents to that domain.
If you get a Logon Failure status in the Deployment Result column, use the Credentials | Set command
to re-enter the proper credentials for installing agents.
By default, the Change Auditor agent folders (Agent, Systray) will be installed to
%ProgramFiles%\Dell\ChangeAuditor\. You can, however, change the location of the installation folder by
clicking the Advanced Options tool bar button.
User Guide
29
Select one or more servers/workstations on the Deployment page and click the Install or Upgrade tool
bar button or right-click command.
On the Install or Upgrade dialog select one of the following options to schedule the deployment task:
Now (default)
When
If you select the When option, enter the date and time when you want the deployment task to be
initiated. Click OK to initiate or schedule the deployment task.
Back on the Deployment page, the Agent Status column will display Pending and the When column will
display the date and time specified.
NOTE: To cancel a pending deployment task, select the server/workstation and then click the
Install or Upgrade button or right-click command. On the Install or Upgrade dialog, click the Clear
Pending button.
9
As agents are successfully connected to the Change Auditor coordinator, the corresponding Deployment
Result cell will display Success, the Agent Status cell will display Active and a desktop notification
will be displayed in the lower right-hand corner of your screen.
NOTE: To deactivate these desktop notifications, select the Action | Agent Notifications menu
command.
Change the agent installation location and

system tray option
By default, the Change Auditor agent folders (Agent, Systray) will be installed to
%ProgramFiles%\Dell\ChangeAuditor\. You can, however, change the location of the installation folder by using
the Advanced Options tool bar button on the Deployment page.
NOTE: The other option available when the Advanced Options tool bar button is expanded is discussed in
the Dell One Identity ActiveRoles Server Integration appendix in the Dell Change Auditor Installation
Guide.
To change the agent installation location and system tray option:

1
On the Deployment page, select one or more agents from the server/workstation list. Click the
Advanced Options tool bar button to display the Advanced Deployment Options dialog.
To change the installation folder, check the Specify Agent Installation Location check box and enter the
location to be used for the agent installation folder.
NOTE: The location entered is used for all agented servers/workstations selected on the
Deployment page.
Select the appropriate option to specify the action to be taken if the path entered above cannot be
created on a server/workstation:
Use the default location and continue (Default)
Fail the installation/upgrade for that agent
By default, the system share (ADMIN$) is used; however, you can use a different share by selecting the
Specify a Custom Share on the Remote Server option and entering the share to be used.
Use the Launch ServiceStatusTray on startup options to indicate whether you would like to
launch/install the Change Auditor agent system tray icon when the agent is started.
Yes - launch the ServiceStatusTray on startup
No - do not launch the ServiceStatusTray on startup

User Guide
30
Do not change - do not change the ServiceStatusTray launch option (default)

NOTE: The Change Auditor agent system tray icon (and the LaunchServiceStatusTray on startup
setting) applies only to server agents. For more information about this icon, see Agent system tray
icon.
Use the Restart Agent on failure options to indicate whether to restart an agent if it fails to start.
Yes - restart agent on failure (see note below)
No - do not restart agent on failure
Do not change - do not change the restart agent option (default)

NOTE: When you select Yes, the agent is restarted if a main Change Auditor service goes offline
due to a crash, failure or unknown exception; however, if the agent is gracefully shut down, the
service will not be restarted.
Optionally, use the Save as Default button to save the current advanced deployment settings as the
default for future agent deployments.
You can use the Restore to Default button to restore all of the advanced deployment settings to the
factory default or last saved defaults.
Click the OK button to save your selections and close the dialog. These deployment settings apply to all
of the agents selected on the Deployment page.

User Guide
31
Enable auto deployment

The auto deployment feature allows you to automatically deploy a Change Auditor agent to any new domain
servers that are added to your forest.
NOTE: Auto deployment does NOT apply to servers already in the topology that are promoted to domain
controllers.
To enable auto deployment:

1
From the Deployment page, click the Auto Deploy tool bar button.
Select the Enable Auto Deployment to New Servers and/or Enable Auto Deployment to New
Workstations check box(es).
Select one of the following options to specify the servers to which agents are to be deployed:
All New Servers/Workstations (default)
Include New Servers/Workstations in Container(s)
Exclude New Servers/Workstations in Container(s)
When the Include New Server/Workstations in Container(s) or Exclude New Server/Workstations in

Container(s) option is selected, click the Add button to locate and select individual containers.
Clicking the Add button displays the Select Active Directory Objects dialog. Use the Browse or Search
page to locate and select a container. Once a container is selected, click the Add button to add it to the
Selection list at the bottom of the dialog. Once you have added all the containers, click the Select
button to save your selection and close the dialog.
The containers specified will be displayed in the Containers list on the Auto Deploy to New Computers
dialog.
By default, Change Auditor will check if new servers have been added to the forest every 60 minutes and
if found will automatically deploy a Change Auditor agent. However, you can use one of the following
Check for New Computers Added to Forest options to change this interval:
Every nn Minutes
Every Day At <time>
Click the Set button to specify the credentials of a user with administrator rights on the selected
domain(s). Click OK to save these user credentials and close the Logon Credentials dialog.
Click OK to save your selections and close the Auto Deploy to New Computers dialog.
Refresh or clear Deployment page

information
To force a topology harvest refresh:
1
On the Deployment page, click the Force Refresh tool bar button.
Change Auditor will force a topology harvest and display any new servers/workstations added since the
last topology harvest.
NOTE: The default harvest interval is every 24 hours.
NOTE: Topology scan takes a long time when the environment contains a large number of
workstations.
To refresh a coordinators status:

1
On the Deployment page, select one or more servers from the list.
User Guide
32
Click the Refresh Status tool bar button or right-click command.
Change Auditor will retrieve and display the latest status for the selected agents, including the agent
version and deployment results.
To clear the deployment results:

1
On the Deployment page, right-click a server/workstation from the list and click Clear Result.
This will clear the current and any future entries in the Deployment Result cell for the selected
server/workstation.

User Guide
33
4
Overview Page
Overview
My Favorite Search
Define a favorite search
Overview panes
Event Details pane
Overview
Once agents are deployed, the Overview page is initially displayed when the Change Auditor client successfully
connects to a coordinator. The goal of the Overview page is to provide you with instant access to valuable
information about the application. Therefore, this page provides customized views to highlight application
details based on your preference. For example, you can display Agent Status, Top Agent Activity, Recent Event
Activity, Coordinator Status, Event Counts, or Alert History Counts on the various panes on the Overview page.
Additionally, you can view a real-time stream of events based on a favorite search definition. By default, the
top pane will use the Change Auditor Real-Time search definition and display all events (up to 10,000 records)
generated in the last 20 minutes. You can, however, define a different favorite search and the events captured
from that search will then be displayed across the top of the Overview page.
The information on this page is captured when the Change Auditor client is started. To refresh all of the
information displayed on the Overview page, use the Refresh button, F5 or the Action | Refresh menu
command. Also, when you select a different pane for display, the latest information for the 'new' pane will be
displayed.
My Favorite Search
The top pane displays a real-time view of events generated based on a user-defined favorite search. By
default, Change Auditor will use the Change Auditor Real-Time search definition and this pane will display all
events captured for the last 20 minutes.
As events are returned, they will be added to this search results grid, providing you with a real-time view of
whats happening in your environment. By default, the events are sorted by date, with the latest event being
added to the top of the list. You can, however, use the column controls to select a different sort criteria for the
information displayed. For more information on customizing the content of this table, see Customize table
content.
Double-clicking an event in this grid will display the Event Details pane across the bottom of the page, which
contains additional details regarding the event selected in the search results grid. The layout and content for
the My Favorite Search grid is the same as that used on the Search Results page. For a description of the search
results grid and the Event Details pane, please refer to Search Results grid and Event Details pane.

User Guide
34
Define a favorite search

By default the Change Auditor Real-Time search (all events captured in the last 20 minutes) is used to capture
the events displayed on the Overview page. You can, however, select a different favorite search, which will
then be used to populate the top pane on the Overview page.
To define a favorite search:

1
Open the Searches page.
Select the search to be used, right-click and select Set As My Favorite.
Open the Overview page, click F5 (or the Refresh button) to display the results of that search in the My
Favorite Search pane at the top of the Overview page.
To modify the current favorite search:

1
From the Overview page, click on the My Favorite Search: <search name> title at the top of the My
Favorite Search grid.
The Searches page and corresponding search properties tab are displayed.
Use the search properties tabs to modify the search criteria. Click Save from one of the search
properties tabs to save your changes.
Open the Overview pane, click F5 (or the Refresh button) to display the results of the modified search in
the My Favorite Search pane.
Overview panes
The Overview panes across the bottom of the Overview page can be customized based on your preference to
display a variety of overview information about Change Auditor. By default, the Top Agent Activity and Agent
Status panes are displayed across the bottom of the Overview page. However, each of these panes has an arrow
button on its heading that can be used to display the different overview information that is available.
Change Auditor provides the following overview views which highlight application details based on your
preference:
Top Agent Activity
Recent Event Activity
Count of Events By
Agent Status
Coordinator Status
Alert History Counts
Within the overview panes, blue underlined numbers are hypertext links. Selecting a link displays the search
results for the selected count.
Top Agent Activity

The Top Agent Activity pane displays the most active Change Auditor agents in your environment. That is, the
agents that have forwarded the most events to the Change Auditor coordinator based on the date range
selected. If this pane is not displayed, click the arrow on the heading of one of the lower panes and select Top
Agent Activity to display this pane.
By default, the agent activity on all servers for the past month, excluding uninstalled agents, will be displayed.
You can, however, use the controls located at the top of this pane to specify the types of agented objects to be
included as well as the date range.
User Guide
35
Type
By default all agented objects will be included. However, you can use the drop-down menu located in
the upper left corner of this overview pane to limit the types of objects to be included:
All - select to view all agented servers and workstations (default)
DCs - select to view only agented domain controller servers
Servers - select to view only agented servers that are joined to the domain
Workstations - select to view only agented workstations that are joined to the domain
Others - select to view only non-member objects, such as ADAM workgroup servers or workstation
agents manually installed on non-Active Directory
machines
Show Uninstalled Agents

Select this check box to include all uninstalled agents in the count. Uninstalled agents are not included
by default.
Time interval
By default, data will be collected for the last month. However, you can use the controls in the upper
right corner of this overview pane to specify a different time interval for collecting this data.
Where: <nn> is a positive numeric value and <interval> is one of the following:
Hours
Days
Weeks
Months (default)
Years
Recent Event Activity

The Recent Event Activity pane allows you to display recent activity for selected events. Click the arrow on the
heading of one of the Overview panes and select Recent Event Activity to display this pane. By default, the
activity for the following events are displayed in this pane:
Dell Change Auditor Agent restarted
Dell Change Auditor Agent started
Dell Change Auditor Agent stopped
User account locked
User member-of added
User member-of removed
User password changed
Use the controls at the top of this pane to define the content to be included in this Overview pane.
Select Events
Click the Select Events button to select different event classes to be displayed. Clicking this button
displays the Select an Event Class dialog. Select the event classes to be displayed and use the Add button
to add them to the selection list at the bottom of the dialog.
NOTE: A maximum of 10 event classes can be selected. When you have reached this limit, the Add
button is disabled preventing you from adding any additional event classes.

User Guide
36
Use these buttons/controls to define the format to be used to display the information. By default, the
data appears in a data grid format.
Use this button to display the data in a bar graph. Select the Show Legend check box to
include a legend for the bar graph.
NOTE: The bar graph button and Show Legend check box only appear when there is activity
to report in this pane.
Use this button to redisplay the data using the data grid format.
Last <nn> Days

The default or selected events will be listed along with the number of events that occurred each day
over the specified time interval. By default, the data will be collected for the last seven days. However,
you can use the control in the upper right corner of this pane to display from one to seven days of data.
Count of Events By
The event counts pane displays a table listing the total number of events captured by Change Auditor, sorted by
the selected category. Click the arrow on the heading of one of the Overview panes, select Count of Events By
and then select one of the following categories to display this pane:
Event Class
Facility
Location
Severity
Result
Subsystem
The count by event panes include the total number of events found in the Change Auditor database based on
the category selected. The counts on these panes are hypertext links, which when selected display a Search
Results page showing the events associated with the selected count. However, the Search Results page only
displays the associated events generated in the last year. If you want to see all of the events associated with the
selected count, edit the date range to include the last nn years in the When tab on the Search Results page.
Agent Status
The Agent Status pane of the Overview page displays a gauge depicting the current status of Change Auditor
agents. Click the arrow on the heading of one of the Overview panes and select Agent Status and then select
one of the following options to display this pane:
Enterprise View - displays all agented member servers installed in the enterprise
Workstation View - displays all agented workstations that are installed on Active Directory machines in
the enterprise
Other View - displays all agented non-member objects, such as ADAM workgroup servers or workstation
agents manually installed on non-Active Directory machines in the enterprise
<DomainName> - displays all agented machines, including servers, workstations and non-member
workgroup computers, installed on the selected domain

By default, only active and inactive agents are included. However, you can select this check box to
include the agents that are set as uninstalled.
User Guide
37
Double-clicking the gauge displays the Agent Statistics page which provides a global view of all Change Auditor
agents, including their current status.
Coordinator Status
The Coordinator Status pane displays a gauge depicting the current status of all the Change Auditor coordinators
installed in the entire enterprise or in a selected domain. Click the arrow on the heading of one of the lower
panes and select Coordinator Status and then select one of the following options to display this pane:
Enterprise View - displays all coordinators installed in the enterprise
<DomainName> - displays all coordinators installed in the selected domain
Show Uninstalled Coordinators

Coordinators set as uninstalled are not included by default. However, you can select this check box to
include the coordinators that are set as uninstalled.
Double-clicking the gauge displays the Coordinator Statistics page which provides a global view of all Change
Auditor coordinators, including their current status.
Alert History Counts

The Alert History pane displays the number of SMTP (email) alerts that were successfully sent or failed to send
or the number of SMTP alerts triggered for a search query. Click the arrow on the heading of one of the lower
panes, select Alert History Counts and then select one of the following options to display this pane:
Counts - displays the number of alerts that were successfully sent and the number of alerts that failed to
send
Counts By Query - displays the number of alerts triggered by search query
Event Details pane

The Event Details pane is displayed across the bottom of this page, replacing the Overview panes, when the
Event Details tool bar button is used or when you double-click an event in the My Favorite Search grid. This
pane provides additional details about the event selected in the My Favorite Search grid at the top of the page.
The information displayed is the same as that displayed in the Event Details pane at the bottom of a Search
Results page. Refer to Event Details pane for a description of the details that this pane may contain.

User Guide
38
5
Searches
Introduction
Searches page
View a list of available searches
Run searches
Run a quick search
Introduction
Once Change Auditor captures an event, it provides several flexible ways to generate meaningful reports. All
event information is displayed in Change Auditors client and its built-in reports provide views for the most
common and complex requests. You can view configuration changes from a variety of perspectives. For
example, you can view all changes at a particular site. You can view changes made during a specific time frame.
Or, you can see the changes performed by a particular administrator. You can even run detailed searches based
on user-defined criteria to fit the needs of your organization.
This section provides a description of the Searches page and steps on how to run a built-in search. For
information on how to create and run a custom search refer to the Custom Searches and Search Properties
chapter.

User Guide
39
Searches page
The Searches page displays all of your search definitions, both private and shared, and the built-in reports
provided with Change Auditor. This page consists of the following panes:
Explorer view
Searches list
Search Properties tabs
Explorer view
The left pane of the Searches page displays a hierarchical view of the folders used to manage your search
definitions and the built-in reports provided with Change Auditor. This view initially displays the following
folders:
Quick Search
Allows you to define a search that is to be executed as soon as the definition is finished.
Unlike other custom searches, this search definition will not be saved unless you click Save As on one of
the Search Properties tabs.
Private
Is used to store your personal custom searches (i.e., only you can see these searches).
NOTE: A foreign security principal in foreign forests is required for some private searches to function
properly.
To store foreign user created searches in Change Auditor:
1. Create a trust between the foreign domain and the domain where Change Auditor is installed.
2. Add the foreign user to any group in the Change Auditor domain. This will cause Windows to create a
foreign security principal object in the Change Auditor domain.
User Guide
40
Shared
Contains the predefined search definitions provided with Change Auditor and can also be used to store
public custom searches (i.e., all Change Auditor users can see these searches).
Built-In
Contains all of the predefined reports provided with Change Auditor.
Searches list
The right pane of the Searches page displays a list of the search definitions or built-in reports contained in the
folder selected in the explorer view.
The following information is displayed for each search definition:
Table 4. Searches list: Field descriptions
Field
Description
Type
Displays the type of entry: Private Search, Shared Search, Private Alert, Shared Alert
or Report.
Alert
Indicates whether an alert has been enabled for the search query. Valid entries for
this field are:
Report
Enabled - which means that alerting is enabled for the search query and that
at least one transport method is enabled.
Disabled - which means that the alert is disabled for the search query;
however at least one transport method is still enabled.
Indicates whether reporting had been enabled for the search query. Valid entries for
this field are:
Enabled - which means reporting is enabled for the search query and a
report will be sent to the specified recipient(s) as defined on the Report tab.
Disabled - which means previously enabled reporting has now been disabled
for the search query.
Name
Displays the name assigned to the search definition.
Alert To
Displays the email address of any recipient(s) specified to receive an alert email
notification (SMTP).
In addition to an email address or distribution list address, you will see the following
parameterized values when the corresponding option has been selected on the Alert
Custom Email dialog:
%WHO% - indicates that an alert is to be sent to the user who initiated the
change that triggered the alert.
%OWNER% - Indicates that an alert is to be sent to the Exchange Mailbox

owner whose mailbox was accessed by another user and their action
triggered an alert. (This feature only applies to Exchange Mailbox Monitoring,
which is available in Change Auditor for Exchange.)
%MANAGEDBY% - For events associated with groups that are being managed
by another account, indicates that an alert is to be sent to the managing
users email.
Alert Cc
Displays the email address of any carbon copy recipient(s) specified to receive an
alert email notification.
Alert Bcc
Displays the email address of any blind carbon copy recipient(s) specified to
receive an alert email notification.
Report To
Displays the email address of any recipient(s) specified to receive a report as

defined on the Report tab.

User Guide
41
Table 4. Searches list: Field descriptions

Field
Description
Report Cc
Displays the email address of any carbon copy recipient(s) specified to receive a
report email.
Report Bcc
Displays the email address of any blind carbon copy recipient(s) specified to
receive a report email.
Double-clicking a search definition will run the selected search and display the results in a new Search Results
page.

Located across the bottom of the page, the Search Properties tabbed pages define the criteria or properties
which make up the selected search.
NOTE: If the Search Properties tabs are not displayed across the bottom of the Search page, click the
Show Properties tool bar button at the top of the page.
The Search Properties tabs displayed are:
Info: Allows you to enter a name and description for the search
Who: Allows you to search for events generated by a specific user, computer, or group.
What: Allows you to search for events based on subsystem, event class, object class, severity, or results.
Where: Allows you to search for events captured by a specific agent, domain or site.
When: Allows you to search for events that occurred within a specific date/time range.
Origin: Allows you to search for events that originated from a specific workstation or server.
Alert: Allows you to enable alerts and define how and where to dispatch alerts.
Report: Allows you to enable reporting, specify the report layout template to be used or choose to
design your own report layout, and define when and where to send the report.
Layout: Allows you to define the data (columns) to be retrieved from the database and the sort order for
displaying the retrieved data. The layout defined on this tab applies to both the search results displayed
in the client and in the report, if reporting is enabled on the Report tab.
SQL: Displays the SQL script used to create the selected search definition.
NOTE: This tab is hidden by default. Use the Action | Show SQL Tab to display this tab.
XML: Displays the XML representation of the search criteria.

NOTE: This tab is hidden by default. Use the Action | Show XML Tab to display this tab.
For a detailed description of the Info, Who, What, Where, Origin and Layout tabs and how to use them to create
a custom search, refer to the Custom Searches and Search Properties chapter. For more information about the
Alert tab, see the Enable Alert Notifications chapter. For more information about the Report tab, see the
Generate and Schedule Reports chapter.
User Guide
42
View a list of available searches

All search definitions, private or shared, custom or built-in, are listed on the Searches page of the Change
Auditor client.
To view the search definitions available to all Change Auditor users:

1
In the explorer view (left pane), double-click the Shared folder (or click the + sign to the left of the
Shared folder) to expand the folder and display a hierarchy of folders.
Select a subordinate folder under the Shared folder.

The right pane displays a list of the search definitions that are stored in the selected folder.
Double-clicking a search in the right-hand pane runs the search and opens a new Search Results page.
Right-clicking a search displays a context menu containing actions that can be taken against the selected
search.
To view the search definitions that are only available to you:

1
Select the Private folder (or a subordinate folder created under the Private folder) in the explorer view.
To view the list of built-in reports (those provided with Change Auditor):
1
Expand the Built-in folder in the explorer view.
Select a folder under the Built-in folder to view the list of search definitions that are stored in the
selected folder.
Run searches
To run a previously saved search or built-in report:
1
Expand and select the appropriate folder in the explorer view to display the list of search definitions
stored in the selected folder.
Use one of the following methods to run a search:
Double-click the search definition.
Right-click the search definition and select Run.
Select the search definition and click the Run tool bar button at the top of the Searches page.
A new Search Results page will be displayed populated with the events that met the search criteria
defined in the selected search definition.

User Guide
43
Run a quick search

The quick search feature allows you to run a search immediately without saving the search definition. However,
if you want to save the search definition, you can use the Save As tool bar button before you run the search.
To run a quick search:

1
Select the Quick Search node in the explorer view to display the Quick Search entry in the Searches list
(right pane).
You can either run the default quick search which will retrieve all events that were generated since the
beginning of the week or define the search criteria to be used.
To run the default search, double-click the Quick Search entry in the Searches list or click the
Run right-click command or tool bar button.
To define the search criteria, select the Quick Search definition to enable the Search Properties
tabs. On the Search Properties tabs, enter the search criteria to be used. Once finished entering
the search criteria, click the Run tool bar button from one of the Search Properties tabs.
A new search results tab, titled Quick Search, will be displayed populated with the events that met the
search criteria defined.

User Guide
44
6
Search Results and Event Details
Introduction
Search Results page
View search results
Preview search results
Compare results side-by-side
View event details or search properties
Display events knowledge base entry
Email event details
Copy event details
Add comments
View user context and run related searches
Add search properties to existing event queries
Introduction
Audit events are the configuration change information that is captured by the Change Auditor agents and
reported to a coordinator and then written to the database. These events can be retrieved and viewed through
searches made though the Change Auditor client. When you run a search, Change Auditor searches the events in
the database for the desired results. The results are then displayed in the Search Results page in the Change
Auditor client.
The terms searches and reports are used in conjunction to acquire the desired output. You run a 'search' and
the results returned is a report.
Auditing and centralizing the collection of events is only one part of the total control and output required for
enterprise security and compliance. It is equally important to be able to retrieve the real-time data and sort
through it quickly and efficiently when its needed.
This section provides a description of the Search Results page and the Event Details pane. It also provides
instructions for performing related tasks when viewing the search results. For a description of the other dialogs
mentioned in this chapter, refer to the online help.

User Guide
45
Search Results page

A new results page is created whenever a search is run. When a search is run, this page displays detailed
information about the events found as a result of the search. This page consists of the following panes:
Search Results grid
Search Properties tabs or Event Details pane
Search Results grid

The Search Results grid displays the events captured as a result of running a search from the Searches page. The
top area of the grid displays the following information:
Run on
Displays the date and time when the search was run.
NOTE: Based on the clients current local date and time. The format used to display this date and
time is determined by the local machines regional and language setting.
Run Time
Displays the amount of time it took to run the search.
Records
Displays the total number of records returned.
Refresh
Use the Refresh button to redisplay the latest information.

User Guide
46
Cancel
When a large number of records are being captured for display, the Refresh button will become a Cancel
button allowing you to cancel the search.
By default, the grid contains the following information about the events returned when a search is run. (You can
specify the columns, sort order and grouping for a search, as well as the display format by using the Layout
search properties tab.)
Table 5. Search Results grid: Event information displayed by default
Column
Description
Action
Displays what change was made to the object.
Domain
Displays the name of the domain to which the agented server belongs.
Event
Displays the type of change that occurred.
Facility
Defines the event class facility to which the change event belongs.
Result
Indicates whether the operation mentioned in the event was successfully completed. Valid
states are:
Success - Indicates the operation occurred as stated in the event.
Protected - Indicates that the operation was prevented from occurring because the
object is protected by the Change Auditor object locking feature.
Failed - indicates that the operation was prevented from occurring due to a
factor/setting outside of Change Auditors control.
None - indicates that the operation occurred as stated, but no results were captured
for the event. For example, this state is used for most of the internal Change Auditor
events.
Server
Displays the name of the server where the change occurred.
Severity
Displays the severity assigned to a configuration change event:
Site
High
Medium
Low
Displays the name of the site where the agented server resides.
Subsystem
Defines the subsystem, or area of auditing, where the change event occurred.
Time Detected
Displays the date and time when the agent captured the event.
NOTE: Based on the clients current local date and time. The format used to display this
date and time is determined by the local machines regional and language setting.
User
Displays the name of the user who initiated the change.

From a Search Results page, use the Search Properties tool bar button or right-click command to display the
Search Properties tabs across the bottom of the screen. This view consists of tabbed pages defining the criteria
or properties which make up the selected search.
For a detailed description of the Info, Who, What, Where, Origin and Layout tabs and how to use them to create
a custom search, refer to Custom Searches and Search Properties. For more information about the Alert tab, see
Enable Alert Notifications and the Report tab, see Generate and Schedule Reports.

User Guide
47
Event Details pane

Use the Event Details tool bar button or right-click command on a Search Results page, Overview page, or Alert
History page to display the Event Details pane. You can also double-click an event in the search results grid to
display the Event Details pane for the selected event.
This provides the following details about the event selected in the search results grid:
NOTE: All dates and times are based on the clients current local date and time. The format used to
display the date and time is determined by the local machines regional and language setting.
Table 6. Event Detail pane: Field descriptions

Field
Description
Severity
The severity level assigned to the search is displayed in the upper left-hand corner.
Who
This field specifies the name of the user who initiated the change. If available, the display
name of the user account is also displayed in parenthesis.
When
This field specifies the date and time when the change occurred.
Where
This field displays the name of the server where the change occurred.
Source
This field displays the source of the event:
Change Auditor
ActiveRoles Server
GPOADmin
NOTE: When the event is generated from Dell One Identity ActiveRoles Server or Dell
GPOADmin, the name of the user account that initiated the event is displayed in
parenthesis.
NOTE: If the Source field displays ActiveRoles (instead of ActiveRoles Server) you are not
using the latest integration scripts. If you want to take advantage of the additional events
and initiator account information captured using the new integration scripts, ensure you are
running One Identity ActiveRoles Server 6.9 (or higher) with Change Auditor for Active
Directory 6.5 (or higher).
Origin
This field displays the NetBIOS name and IP address of the workstation or server from which
the event was generated.
What
Displays a brief description of the change that occurred. There are three basic types of
events generated that determine the what information that will be displayed:
Occurrence events (such as an object is created or deleted)
Change events
Delta events (such as DACL/SACL changes)
Depending on the type of event, additional details may be displayed at the bottom of this
pane.

User Guide
48

Field
Description
Result
Indicates whether the operation mentioned in the event was successfully completed. Valid
states are:
Success (Green) - Indicates that the operation occurred as stated in the event.
Protected (Yellow) - Indicates that the operation was prevented from occurring
because the object is being protected by the Change Auditor object locking feature
Failed (Red) - Indicates that the operation was prevented from occurring due to a
factor/setting outside of Change Auditors control.
None (Green) - Indicates that the operation occurred as stated, but no results were
captured for the event. For example, this state is used for most of the internal
Change Auditor events.
Subsystem
The first field defines the subsystem, or area of monitoring, where the change event
occurred (e.g., Active Directory, Service, Group Policy, etc.).
Action
This field defines the action associated with the selected event.
Facility
This field defines the event class facility to which the change event belongs.
Class
For Active Directory and Exchange events, this field displays the object class that was
modified, such as user, group, computer, nTDSConnection, CrossRefContainer.
Attribute
If an attribute has been added, deleted or modified, this field displays the name of the
attribute.
Type
For Active Directory events associated with groups, this field displays the type of group that
was modified (e.g., Global (Security), Domain Local (Security)).
For AD Query events, this field displays the type of query:
LDAP
GC
Object
For Active Directory and Exchange events, this field displays the name of the object that was
modified.
SSL/TLS
For Active Directory and AD Query events, this field indicates whether the LDAP operation or
LDAP query is secured using SSL or TLS technology.
NOTE: If you upgraded from a previous version of Change Auditor, the event details for pre5.5 Active Directory and AD Query events will not include this field.
NOTE: If changes are initiated within LSASS and not through the LDAP protocol itself, this
field will not be captured.
Sign/Seal
For Active Directory and AD Query events, this field indicates whether the LDAP operation or
AD query is signed using Kerberos-based encryption.
NOTE: If you upgraded from a previous version of Change Auditor, the event details for pre5.5 Active Directory and AD Query events will not include this field.
NOTE: If changes are initiated within LSASS and not through the LDAP protocol itself, this
field will not be captured.
Scope
For AD Query events, this field displays the scope of coverage:
This object only
This object and all children
Results
For AD Query events, this field displays the number of results returned as a result of the
query.
Occurrences
For AD Query events, this field displays the number of times the AD query occurred during
the specified interval.
Since
For AD Query events, this field displays the date and time when the AD query was first
initiated.
Elapsed
For AD Query events, this field displays how long the AD query took to run. Zero (0) indicates
that it took less than a millisecond to complete.

User Guide
49

Field
Description
Filter
For AD Query events, this text box displays the filter string used in the AD query.
Attributes
For AD Query events, this text box displays the attributes that were queried.
Path
For File System events (including EMC and NetApp ), this field displays the full path of the
file or folder where the modification occurred.
Process
For File System events, this field is populated with the full path of the application
responsible for the file change.
Service
For Service events, this field displays the name of the service(s) that were modified.
Key
For Registry events, this field displays the name of the registry key that was modified.
Value
For Registry events, this field displays the registry value that was modified.
Policy
For Group Policy events, this field displays the name of the group policy that was modified.
Section
For Group Policy events, this field displays what section of the group policy was modified.
Item
For Group Policy events, this field displays the group policy item that was modified.
Account
For Local Account events, this field displays the local account that was modified.
From
This text box lists the old value that was assigned to the object.
To
This text box lists the new value that is now assigned to the object.
NOTE: The To and From information does not apply to permission/ACL (Access Control List)
type changes and is replaced with the Changes section. This information is also not available
for occurrence type events, e.g., when an object is created or deleted.
Farm
For SharePoint events, this field displays the name of the SharePoint farm to which the
modified component belongs.
Site
For SharePoint events, this field displays the name of the SharePoint site to which the
modified component belongs.
Item URL
For SharePoint events, this field displays the URL of the SharePoint item that was modified.
Audited Host
For VMware events, this field displays the IP address or name of the ESX host or vCenter
server being audited (as specified in the VMware Auditing template).
Host
For VMware events, this field displays the name of the host where the change occurred.
Compute Res
For VMware events associated with compute resources, this field displays the name of the
compute resource where the change occurred.
VM
For VMware events, this field displays the name of the virtual machine where the change
occurred.
Net
For VMware events associated with network objects, this field displays the name of the
network object where the change occurred.
Data Center
For VMware events, this field displays the name of the datacenter where the change
occurred.
Store
For VMware events associated with datastore objects, this field displays the name of the
datastore where the change occurred.
DVS
For VMware events associated with a Distributed Virtual Switch (DVS), this field provides the
name of the DVS where the change occurred.
Mailbox
For Exchange Online Mailbox events, this field displays the account name of the online
mailbox where the change occurred.
Folder
For Exchange Online Mailbox events, this field displays the folder name where the change
occurred.
Cmdlet
For Exchange Online Administration events, this field displays the name of the administrative
cmdlet what was run.
Object
For Exchange Online Administration events, this field displays the name of the object within
the administrative cmdlet that was modified.

User Guide
50

Field
Description
Logon Start
For Logon Session events, this attribute displays the date and time when the user initially
logged onto the computer.
Logon End
For Logon Session events, if applicable this attribute displays the date and time when the
user logged out of the computer.
Duration
For Logon Session events, depending on the event this attribute displays how long the user
session lasted or how long the user was actually logged onto the computer.
Session Start
For Logon Session events, this attribute displays the date and time when the current user
session began.
Session End
For Logon Session events, if applicable this attribute displays the date and time when the
current user session ended.
Start
For SonicWALL events, this field displays the date and time when the activity started.
End
For SonicWALL events, this field displays the date and time when the activity ended.
Duration
For SonicWALL events, this field displays the duration of the activity.
Authentication
For SonicWALL events, if available from the firewall this field displays the user
authentication type (SSO, NTLM, local) used to access the web or cloud storage site.
User Zone
For SonicWALL events, if available from the firewall this field displays the zone name (e.g.,
LAN or WAN) of the user who initiated the activity.
Site IP
For SonicWALL events, if available from the firewall this field displays the IP address of the
site where the activity occurred.
Site Zone
For SonicWALL events, if available from the firewall this field displays the zone name (e.g.,
LAN or WAN) of the site where the activity occurred.
Site Port
For SonicWALL events, if available from the firewall this field displays the port number (80,
443, etc.) of the site where the activity occurred.
Site Application For SonicWALL events, if available from the firewall this field displays the application name
for the site where the activity occurred.
Site Category
For SonicWALL events, if available from the firewall this field displays the application
category for the site where the activity occurred.
Site Country
For SonicWALL events, if available from the firewall this field displays the IP address Geo-IP
country location for the site where the activity occurred.
<list>
For SonicWALL events, if available from the firewall this field displays the full URL(s) of the
site where the activity occurred.
View search results

To view the results of a search:
1
From the Searches page, run a search.
For each search that is run, a new search results page will automatically be created and opened,
allowing you to view the event records returned.
When multiple search results are active, select the heading tab at the top of a search page to view the
selected search results.
Use the column controls to sort, rearrange, or group the data displayed. See Customize table content for
more information on using the column controls to customize the content of this page.
Change Auditor also provides advanced filtering options that allow you to modify the results of a search
without changing the original search. Click in the Click here to filter data ... cell to enter the criteria to
be used to filter the data displayed. See Filter data for more information on using Change Auditors
filtering feature.
User Guide
51
Display results in different formats

When a grouping is created (for example, a single column heading is dragged up into the heading area to group
the data), three icons are added to the heading area which can be used to display the data in a different
format. The following icons/formats are available:
Data Grid: Select the data grid icon to redisplay the data in the grid format (default format).
Pie Chart: Select the pie chart icon to display a pie chart showing the correlated data. Move your cursor
over the pieces in the pie chart to display the label and number of items that make up that piece of the
pie.
Bar Graph: Select the bar graph icon to display a bar graph showing the correlated data. Move your
cursor over the bars in the graph to display the label and number of items that make up that bar.
NOTE: The Pie Chart and Bar Graph displays are only available when a single level grouping has been
applied to the data grid. Also, when the search results are too numerous to chart, a message will display
stating that there are too many items to display them all.
Preview search results

Research uncovered that customers modify a search three times on the average. Thus, the criteria definition is
now in-line with the results, which enables you to preview and modify the results without closing and opening
multiple dialogs.
To modify search criteria and preview the results:

1
Open the Search Results page for a search where you want to preview changes based on new search
criteria.
Click the Search Properties tool bar button or right-click command to display the Search Properties tabs
across the bottom of the page.
Modify the search criteria and then click the Preview Changes tool bar button from one of the Search
Properties tabs.
The results of the modified search appears at the top of the open Search Results page. An asterisk is
appended to the name in the tab denoting that the search properties have been modified and these
changes have not yet been saved.
Once you achieve the desired results, you can use the Save or Save As tool bar buttons on one of the
Search Properties tabs to save the modifications made to the search criteria.

User Guide
52
Compare results side-by-side

Change Auditor allows you to run two searches side-by-side simultaneously. When multiple Change Auditor
pages are open, you can split the current screen to display two or more pages at the same time. For example,
you can view multiple search results pages in the Change Auditor client allowing you to compare the results
against each other.
NOTE: For optimal viewing, this feature should be used in a dual monitor configuration.
To compare results side-by-side:

1
Run the searches to be compared. On the Search Results pages, we recommend that you hide the Event
Details pane and Search Properties tabs so that when the screen spits, you will have more space for
viewing events.
Right-click the heading tab of one of these Search Results pages and select one of the following
commands:
New Horizontal Tab Group - to view two or more panes down the screen.
New Vertical Tab Group - to view two or more panes across the screen.
This will split the screen (either horizontally or vertically depending on the command selected)
displaying multiple pages in the single view.
To move a page from one pane to another, right-click the heading tab of the page to be moved and select
the Move to Next Tab Group menu command. This will move the selected page to the other pane
displayed. To move this page back, right-click the heading tab and select the Move to Previous Tab
Group menu command.
To close the split screen and return to a single pane, use the Action | Reset Display menu command.

User Guide
53
View event details or search properties

From the Search Results page, you can view the search properties used to generate the displayed events or you
can access more detailed information about an event. Using the tool bar buttons at the top of the Search
Results page, you can easily switch between the Search Properties tabs and Event Details pane at any time.
To display event details for an event:

1
Open a Search Results tab and select an event from the Search Results grid.
If neither the Search Properties tabs or Event Details pane are being displayed (or the Search Properties
tabs are displayed), use one of the following methods to display the event details:
double-click the event entry in the results grid
click the Event Details tool bar button
right-click the event and select Event Details
To hide the Event Details pane, use hide button
in the upper right corner of the Event Details pane.
To display search properties for an event:

1
If neither the Search Properties tabs or Event Details pane are being displayed (or the Event Details pane
is displayed), use one of the following methods to display the search properties:
click the Show Properties tool bar button
right-click the event and select Show Properties
To hide the Search Properties tabs, use the hide button

Properties pane.
in the upper right corner of the Search
Display events knowledge base entry

In addition to the search properties and event details, Change Auditor provides access to an audit event
knowledge base. This knowledge base links to the associated Event Reference Guide where you can find
information such as how Change Auditor detected the configuration change event, what the changed parameter
controls, and the consequence of such a change.
To display knowledge base entry for an event:

1
Use one of the following methods to launch the Change Auditor knowledge base:
From the Search Results grid, right-click the event and select Knowledge Base.
From the Event Details pane, click the Knowledge Base tool bar button.
This will open your browser and display the associated Event Reference Guide.

User Guide
54
Email event details

To email an events details:
1
Use one of the following methods to email the selected events details:
Right-click the event in the Search Results grid and select Email.
From the Event Details pane, click the Email tool bar button.
NOTE: You can also hold down the Shift key while clicking the Email button to email additional
event details. This additional information may be requested from the Dell Support staff for
troubleshooting purposes.
This will create a new email containing the contents of the Event Details pane. Enter the recipient's
email address (in the To and CC fields) and edit the subject line if desired.
Click Send.
If applicable, the Internet Connection wizard will be displayed allowing you to create a new Internet
account, which includes the following information:
display name as you would like it to appear in the From field of the outgoing message
your email address
your incoming mail server
your outgoing mail (SMTP) server
Copy event details

To copy an events details:
1
Use one of the following methods to copy the contents to the clipboard:
Right-click the event and select Copy.

From the Events Details pane, click the Copy tool bar button.
NOTE: You can also hold down the Shift key while clicking the Copy button to copy additional
event details to the clipboard. This additional information may be requested by the Dell Support
staff for troubleshooting purposes.
Open the application (e.g., Notepad) to which the content is to be pasted, right-click and select Paste.
Add comments
Change Auditor allows you to append comments to an event which can then be later specified as search criteria
to retrieve all the events that contain a specific comment or keyword.
To add comments to an event:

1
Use one of the following methods to add or append comments to the selected event:
Right-click the event and select Comments.
From the Event Details pane, click the Comments tool bar button.
User Guide
55
This will display the Comments dialog. In the New Comments text box at the bottom of this dialog, enter
the comments to be associated with the selected event.
Click OK to close the dialog and return to the Search Results tab.
To view comments:
1
Use one of the following methods to view or append comments to the selected event:
Right-click the event and select Comments.
From the Event Details pane, click the Comments tool bar button.
This will display the Comments dialog where previously entered comments are displayed in the top pane.
To append a new comment to those that already exist, use the text box at the bottom of the screen to
enter your new comment.
Click OK to close the dialog and return to the Search Results tab.
View user context and run related searches

From the Event Details pane you can view additional details about the user who initiated the change, view
resource details about the computer where the change occurred, or run related searches based on the who,
where, what, when or origin of the event selected in the Search Results grid.
Expand the Related Search tool bar button on the Event Details pane to display the options available, which are
based in the selected event:
Who: Select this option to run a query for all change events generated by this user during the same date
interval as that specified in the When tab of the selected event.
View Contact Card: For events with a user object, select this option to view contact information and
group membership for this user.
Where: Select this option to run a query for all change events captured by this agent during the same
date interval as that specified in the When tab of the selected event.
View Resources: Select this option to display the Resource Properties pane for this server, which
includes: Machine Info, Processors, Drives, Shares, Services, and if applicable Exchange Mailboxes.
See Resource Properties pane for more details about the resource details provided.
What: Select this option to run a query for change events captured for this event class during the same
date interval as that specified in the When tab of the selected event.
When: Select this option to run a query for change events that occurred on this date.
Origin: Select this option to run a query for change events that originated from this workstation or
server during the same date interval as that specified in the When tab of the selected event.
Object: Select this option to run a query for change events generated against this object during the
same date interval as that specified in the When tab of the selected event.
NOTE: When selecting an object that contains a path, the related search will only return related
events where the full paths are the same.
NOTE: This last option is the object from the original event, such as a file or folder, directory
object, registry key, etc.

User Guide
56
To view the contact information and group membership for a user:

1
At the top of the Search Results page, select an event to display the related Event Details pane.
At the top of the Event Details pane, click the arrow to the right of the Related Search tool bar button
and select View Contact Card.
The contact information appears for the user who initiated the change in the selected audit event. In
addition, the Member Of pane on this dialog lists the groups to which this user belongs.
Click the OK button to close this dialog.
To run a query for events generated by the same user:

1
At the top of a Search Results page, select an event to display the related Event Details pane.
At the top of the Event Details pane, click the arrow to the right of the Related Search tool bar button.
Click the first entry in the context menu, which is the name of the user who initiated the change in the
selected audit event.
A new Search Results page appears populated with all change events generated by this user during the
same date interval as that specified in the When tab of the selected event.
Note that the users name is used as the Search Name (name on tab) for this new query.
To view resource properties about the server where the change occurred:
1
At the top of the Search Results page, select an event to display the related Event Details pane.
At the top of the Event Details pane, click the arrow to the right of the Related Search tool bar button.
Select View Resources.
The Resource Properties pane appears which contains additional details about the server where the
change occurred. See Resource Properties pane for more information about the content of the tabbed
pages on this pane.
Add search properties to existing event

queries
After selecting a specific event from the results of a search, the Event Details pane will allow you to further
refine your search criteria. Expand the Add to Search tool bar button to display the available options for
refining your current search. These options are produced from the details of the selected event and may differ
between event types.
Choosing a criteria from this list will add it to your current search. You can then preview the refined results
before saving the search. Once saved, the new search criteria will be permanent.

User Guide
57
7
Custom Searches and Search Properties
Introduction
Create a custom search
Introduction
Change Auditor enables you to create custom search definitions to search for the configuration changes that
need to be tracked in your environment. You will use the search properties tabs across the bottom of the
Searches page to define new custom searches.
This chapter provides steps on how to create custom searches and to preview search results. It also provides a
description of the Search Properties tabs and how to use these tabs to customize your searches. For a
description of the other dialogs mentioned in this chapter, refer to the online help.
Create a custom search

The following procedure provides the general steps involved in creating a custom search. For more specific
instructions on using the Search Properties tabs to define search criteria, refer to the appropriate section later
in this chapter.
To define a new search:

1
In the explorer view (left pane), expand and select the folder where you want to save your search.
Selecting the Private folder will create a search that only you can run and view, whereas selecting the
Shared folder will create a search which can be run and viewed by all Change Auditor users.
Click the New tool bar button at the top of the Searches page (or right-click a folder and select the New
| New Search menu command).
On the Search Properties tabs, enter the search criteria to be used.
Info - enter a name and description for the search
Who - allows you to search for events generated by a specific user, computer or group
What - allows you to search for events based on subsystem, event class, object class, severity or
result
Where - allows you to search for events captured by a specific agent, domain or site
When - allows you to search for events that occurred during a specified date/time range
Origin - allows you to search for events that originated from a specific workstation or server
NOTE: When you specify criteria on more than one search properties tab (e.g., Who, What and
Where tabs), Change Auditor first evaluates each individual tabs criteria and then chains the
individual tabs criteria together using the AND operator, returning only those events that meet
all of the search properties specified on the different tabs.
User Guide
58
If you want to be notified when an event is captured as a result of this custom search, open the Alert tab
to enable and define how and where to dispatch alerts when the selected search criteria is met. Refer to
Enable Alert Notifications for more information on setting up alert notifications.
Once you have defined the search criteria to be used, you can either save the search definition or run
the search.
To save and run the search, click Run from one of the Search Properties tabs.
To save the search definition without running it, click Save from one of the Search Properties
tabs.
To create a new search using a different name than was initially entered, click Save As | Save As
from one of the Search Properties tabs.
To save the search definition as the new default for new searches, click Save As | Save As
Default from one of the Search Properties tabs.

You will use the Search Properties tabs, which are displayed across the bottom of the Searches page, to define
custom search criteria. The Search Properties tab pane consists of the following tabs:
Info tab
Who tab
What tab
Where tab
When tab
Origin tab
Alert tab (Search Properties tabs)
Report tab (Search Properties tabs)
Layout tab
SQL tab
XML tab
To display/activate the Search Properties tabs:

1
From the Searches page, use one of the following methods to display/activate these tabs:
click the Show Properties tool bar button
right-click a folder (left pane) or search definition (right pane) and select Show Properties
select a folder (left pane) or search definition (right pane) and click the New | New Search tool
bar button or right-click command
NOTE: You can also display the Search Properties tabs from a Search Results tab, using the Search
Properties tool bar button or right-click command.
Use the hide button
in the upper right corner of the Search Properties tab pane to hide this pane.

User Guide
59
Info tab
The Info tab is the first of the Search properties tabs. From this tab, you can view or enter the name and
description of a search definition. You can also define the maximum number of records to be retrieved and
displayed, or enable a refresh interval that defines how often the client is to retrieve and redisplay updated
information.
The Info tab contains the following information/controls:
Table 7. Info tab: Field/control descriptions
Field/Control
Description
Search Name
Displays the name of the selected search.

When creating a new search, place your cursor in this text box and enter a
descriptive name for the search.
Search Description
Displays the description of the selected search.

To add a description to a new search, place your cursor in this text box to enter a
brief description of the search.
Search Limit
Specifies the maximum number of records to be retrieved and displayed by the

client. By default, the maximum of 50,000 records will be returned from the
database during a single request. Select this check box and use the arrow controls
to change the search limit for the selected search.
NOTE: Clearing this check box removes the search limitation, which may increase
both client memory and wait time if expected search results are over 100,000.
Therefore, it is highly recommended that you leave this check box checked and use
the defined search limit.
Refresh Interval
Specifies how often the client is to retrieve and redisplay updated information.
Select this check box and use the arrow controls to enable and set the refresh
interval for the selected search.
When this option is checked, an additional field, Next Refresh, will be added to the
heading area of the Search Results grid.
NOTE: This option is not checked by default for new searches, only for the default
favorite search (Change Auditor Real-Time) used in the Overview page. The default
interval for the default favorite search is five minutes.
To name a new search:

1
Place your cursor in the Search Name text box and enter a descriptive name for the search.
NOTE: If you do not enter a new name for your search, it will be named New Search.
Place your cursor in the Search Description text box and enter a brief description of the search. This
step is optional.
After entering the search name and optional description, proceed to the other Search Properties tabs to
enter the search criteria.
To change the maximum number of records to be retrieved:

The Search Limit field specifies the maximum number of records to be retrieved and displayed for the selected
search. By default, a maximum of 50,000 records will be returned from the database during a single request.
1
To restrict the search results to a specific number of records, ensure that the Search Limit check box is
checked.
Set the value to the maximum number of events to be returned.

NOTE: Clearing this check box removes the search limitation, which may increase both client
memory and wait time if expected search results are over 100,000. Therefore, it is highly
recommended that you leave this check box checked and use the defined search limit.

User Guide
60
To set a refresh interval:

The Refresh Interval field specifies how often the client is to retrieve and redisplay updated information.
1
Select the Refresh Interval check box to enable this feature and activate the field to the right of this
field.
NOTE: This option is not checked by default for new searches, only for the default favorite search
(Change Auditor Real-Time) used in the Overview page. The default interval for the default
favorite search is five minutes.
Enter or use the arrow controls to set the refresh interval (how many minutes between refreshes) for the
selected search.
When this option is checked, an additional field, Next Refresh, will be added to the heading area of the
search results grid whenever this search is run.
Who tab
The Who tab allows you to view or define the users, computers and/or groups to be included in (or excluded
from) the search definition. When multiple who criteria is specified on this tab, Change Auditor uses the OR
operator to evaluate change events, returning events for activity performed by any of the users, computers, or
groups listed.
NOTE: You can add a group to a search to find all events made by the members of that group. Change
Auditor must expand and store the membership of the group before all expected events are returned
when the search is run. When the search is saved, Change Auditor will expand the group if it has not
already been expanded. This may take several minutes, depending on your environment. Refer to Group
Membership Expansion pane for the options available regarding group expansion.
NOTE: Activity performed by an account specified in an Excluded Accounts template will not be captured
by the agent(s) to which this template is assigned. Thus, Change Auditor will not return any audit events
for these excluded accounts even if you specify them in your who search criteria. For more information
on excluding accounts, refer to Account Exclusion.
The Who tab contains the following information/controls:
Table 8. Who tab: Field/control descriptions
Field/Control
Description
Runtime Prompt
Select this check box to prompt for the who criteria when this search is executed.
That is, when the Run tool bar button is selected, the Select Active Directory
Object dialog will be displayed allowing you to locate and select the users,
computers or groups to be searched.
NOTE: When this check box is checked, the Add tool bar buttons will be
deactivated.
NOTE: You cannot enable alerting for search definitions that use the Runtime
Prompt option.
Exclude the Following

Selection(s)
Select this check box to specify the users, computers or groups to be excluded from
the search. That is, Change Auditor is to search all users, computers and groups
except those listed.

User Guide
61
Table 8. Who tab: Field/control descriptions

Field/Control
Description
Include Event Source

Initiator
Select this check box if you want to include events generated by One Identity
ActiveRoles Server or GPOADmin in the search. Selecting this check box instructs
Change Auditor to retrieve all change events made by the specified user account,
including those initiated by One Identity ActiveRoles Server and GPOADmin.
NOTE: An additional column (Initiator UserName) is added to the Search Results
grid that contains the user information of who made the change through One
Identity ActiveRoles Server or GPOADmin.
Who list
Contains the individual users, computers and/or groups to be included in the search
(or excluded from the search if the Exclude the Following Selection(s) option is
checked).
By default, all users, computers and groups will be included in a new search
definition and therefore, this list will be empty.
To search for events generated by a specific user, computer or group:

NOTE: By default, for each new search Change Auditor will search for change events generated by all
users, computers and groups; therefore, the list box on the Who tab will be empty.
1
On the Who tab, click the Add tool bar button to add an active user, computer or group to the who list.
On the Select Active Directory Object dialog, use either the Browse or Search page to search your
environment to locate and select the user, computer or group to be included. Click the Add button to
add it to your selection list.
Repeat to include each additional directory object.
After selecting one or more directory objects, click the Select button to save your selection and close
the dialog.
NOTE: You can use the Add with Events tool bar button (instead of Add) to select a user, computer
or group that already has an audit event associated with it in the database. The accounts available
for selection are based on the when clause (When tab) and the search limit (Info tab) specified
for the current search.
Use this feature to search for events that are tied to users who have been removed from Active
Directory .
4
When this search is run, Change Auditor will now search for change events generated by only the user(s),
computer(s) and group(s) listed on the Who tab.
TIP: If you are running One Identity ActiveRoles Server or GPOADmin and want to include events
generated by One Identity ActiveRoles Server or GPOADmin in the search, select the Include Event
Source Initiator check box. For more information, see the Dell One Identity ActiveRoles Server
Integration or Dell GPOADmin Integration appendices in the Dell Change Auditor Installation
Guide.
To use a wildcard expression to specify a user or group:

1
On the Who tab, expand the Add tool bar button and select the Add Wildcard Expression option.
On the Add Who dialog, enter the wildcard expression to be used to search for a user (domain\user
name) or group (domain\group name):
Select the comparison operator to be used: Like or Not Like.
In the field to the right, enter the pattern (character string and * wildcard character) to be used
to search for a match. Use the * wildcard character to match any string of zero or more
characters.
For example, LIKE *admin* will find all users with the character string admin anywhere in the
name.
User Guide
62
By default, the wildcard expression will be used to search for a user. To search for a group, select
the Group option.
NOTE: When using the Group option, the Group Membership Expansion option on the
Coordinator Configuration page (on the Administration Tasks tab) must be set to Expand all
groups.
After entering the wildcard expression to be used, click the OK button to close the dialog and add the
wildcard expression to the who list.
When this search is run, Change Auditor will search for change events generated by the users (or users
that are members of the groups) whose name matches the specified wildcard expression.
What tab
Use the What tab to define what entities are to be included (or excluded) in the search. More specifically,
using this tab you can create a search for events based on:
Subsystem
Event Class
Object Class
Severity
Result
When criteria is specified on the What tab, Change Auditor will retrieve only those events that match the
criteria listed on the What tab. When multiple what criteria is specified on this tab, Change Auditor uses the
AND operator to evaluate an event and returns only those events that meet all the specified criteria. However,
when multiple subsystems (e.g., Active Directory, ADAM and Exchange) are specified, Change Auditor uses the
OR operator to evaluate these entities, returning events that meet any of the specified subsystem criteria.
This also applies when multiple event classes are specified. That is, when multiple event classes are specified,
Change Auditor uses the OR operator and returns any of the specified events.
NOTE: By default, all Change Auditor events will be included in a new search definition and therefore the
list box on the What tab will be empty.
Once criteria is added, the criteria list box contains an expandable view displaying the following information for
all the criteria defined for the search definition:
Entity
Lists the entity (subsystem, event class, object class, severity or result) selected. Expanding the Entity
entry displays the specific criteria and any options or restrictions, defined as part of the search criteria.
Exclude
Indicates whether the criteria is to be included in (False) or excluded from (True) the search definition.
Action(s)
When applicable, this column displays the actions (all, add attribute, delete attribute, modify attribute,
rename object, add object, delete object, or other) included in the search definition.
Transport(s)
When applicable, this column displays the transports (all, SSL/TLS or Sign/Seal) included in the search
definition.

User Guide
63
Click the expansion box to the left of the Entity field to expand this view to display the following details:
Object
Displays the object selected for auditing.
Restriction
If applicable, this field displays the additional restrictions specified for the search definition.
NOTE: Only displayed when the entity is an Event Class.
Scope
Indicates the scope specified (All Object, This Object, This Object and Child Objects Only, This Object
and All Child Objects).
NOTE: Only displayed when the entity is Active Directory, ADAM, Exchange, File System, Group
Policy, Local Account or Registry.
Action(s)
Lists the actions specified in the search criteria (e.g., Add Object, Delete Object, Move Object, etc.).
NOTE: Only displayed when the entity is Active Directory, ADAM, Exchange, File System, Group
Policy, Local Account or Registry.
Transport(s)
Lists the transports included in the search criteria (All, SSL/TLS or Sign/Seal).
NOTE: Only displayed when the entity is Active Directory, ADAM, Exchange or AD Query.

User Guide
64
Examples of custom searches based on what criteria

NOTE: Only what criteria that does NOT require a specific Change Auditor license is covered in this
section. For more information about what criteria that requires a specific license, refer to the
appropriate Change Auditor User Guide:
Object Class - Dell Change Auditor for Active Directory User Guide
Subsystem | Active Directory - Dell Change Auditor for Active Directory User Guide
Subsystem | AD Query - Dell Change Auditor for Active Directory Query User Guide
Subsystem | ADAM (AD LDS) - Dell Change Auditor for Active Directory User Guide
Subsystem | Exchange - Dell Change Auditor for Exchange User Guide
Subsystem | Exchange Online - Dell Change Auditor for Exchange User Guide
Subsystem | File System - Dell Change Auditor for Windows File Servers User Guide, Dell
Change Auditor for EMC User Guide or Dell Change Auditor for NetApp User Guide
Subsystem | Group Policy - Dell Change Auditor for Active Directory User Guide
Subsystem | Logon Activity - Dell Change Auditor for Logon Activity User Guide
Subsystem | SharePoint - Dell Change Auditor for SharePoint User Guide
Subsystem | SonicWALL - Dell Change Auditor for SonicWALL User Guide
Subsystem | SQL - Dell Change Auditor for SQL Server User Guide
To search for events based on an event class or facility:

1
On the What tab, click the Add tool bar button. (Or expand the Add button and select Event Class.)
NOTE: You can use the Add with Events | Event Class command (instead of Add | Event Class) to
select an entity that already has an event in the database.
On the Add Facilities or Event Classes dialog, select a single event, click the Add button and select the
Add This Event or Add All Events in Facility command.
NOTE: When multiple events are selected, Change Auditor uses the OR operator to evaluate the
change events, returning any of the events specified.
Depending on the event class entry selected in the data grid, an additional Restriction pane may be
displayed across the middle of this dialog.
For some event classes, use the restriction pane to specify 'from' and/or 'to' value restrictions. To define
a restriction, select the appropriate check box and enter the value.
For other event classes (such as DNS Zone, Distribution and Security groups), use the restriction pane to
apply filter options for filtering by individual parameter values (for example, auditing of static DNS
entries).

User Guide
65
To do this, select the Filter by parameter check box and then select from the available parameter
values that are activated (e.g., for the DNS Entry Type parameter, you can select Static and/or
Automatically expiring).
4
Once you have defined the restrictions, use either the Add or Update Restriction buttons as described
below:
If the event has not been added to the Selections list box, click the Add button to add the event
to the selection list.
If the event was previously added to the Selections list box, click the Update Restriction button
to update the restrictions for the event.
NOTE: You can also use the Shift and Ctrl keys to add multiple event classes to the selection list.
However, the restrictions pane and the Add | Add All Events in Facility command will not be
available when multiple event classes are selected.
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for all event
classes/facilities except those listed in the what list.
NOTE: Select the Runtime Prompt check box on this dialog, to prompt for the facility or event
class criteria every time the search is run. When this check box is checked, the data grid and
buttons on this dialog will be disabled.
You cannot enable alerting for search definitions that use the Runtime Prompt option.
Once you have made your selection(s), click the OK button to save your selection and close the dialog.
The search criteria listed on the What tab now defines what will be searched for when this search is run.
To search for changes to local users or groups:

1
On the What tab, expand the Add tool bar button and select Subsystem | Local Account.
NOTE: You can use the Add with Events | Subsystem | Local Account command (instead of Add |
Subsystem | Local Account) to select an entity that already has an event in the database.
On the Add Local Account dialog, select one of the following options to define the scope of coverage:
All Objects - select this option to include all objects
This Object - select this option to include individual objects
If you selected This Object, the data grid, which displays a list of all the users and groups in the local
SAM databases on the selected Member Server, and associated buttons will be enabled.
To add an account, select the account in the data grid and click the Add button to add it to the selection
list at the bottom of the dialog. Repeat to add additional accounts.
To replace an account in the selection list, select the new account in the data grid, select the old
account in the selection list and click the Update button. The entry in the selection list will be replaced
with the new account.

User Guide
66
To select a local account on a different computer, click the Browse button to the right of the Account
field. On the Select Active Directory Object dialog, use the Browse or Search pages to locate and select
another computer. Click the Select button to save your selection and close the dialog.
On the Add Local Account dialog, the local user and group accounts available on the specified computer
will then be displayed in the data grid.
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for events
generated by all local accounts except those listed in the what list.
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a local account every
time the search is run. When this check box is checked, the data grid and buttons on this dialog
will be disabled.
Once you have selected the local accounts to be included in the search, click the OK button to save your
selection and close the dialog.
When this search is run, Change Auditor will search for events generated by the local account(s) listed on
the What tab.
To search for changes to registry keys:

NOTE: Registry auditing is only available when you have applied custom Registry Auditing templates that
define the registry changes to be audited. See Registry Auditing for more information on capturing registry
events.
1
On the What tab, expand the Add tool bar button and select Subsystem | Registry.
NOTE: You can use the Add with Events | Subsystem | Registry command (instead of Add |
Subsystem | Registry) to select an entity that already has an event in the database.
On the Add Registry Key dialog, select one of the following options to define which system registry keys
are to be included in your search definition:
All Registry Keys - select this option to include all registry keys
This Object - select this option to include only the selected objects
This Object and Child Objects Only - select this option to include the selected objects and its
direct child objects
This Object and All Child Objects - select this option to include the selected objects and all
subordinate objects (in all levels)
By default, All Actions is selected meaning that all of the registry actions listed will be included in the
search definition. However, you can clear the All Actions option and select individual actions for
auditing.
Select one or more of the following options:
All Actions - select this option to include all of the actions. When this option is selected, all of
the other options are disabled. (Default)
Add Value - select this option to include when a new value is added to the selected registry key.
Delete Value - select this option to include when a registry key value is removed.
Modify Value - select this option to include when a registry key value is modified.
Add Key - select this option to include when a new registry key is added.
Delete Key - select this option to include when a registry key is removed.
When a scope option other than the All Registry Keys option is selected, the registry key hierarchy will
be enabled allowing you to locate and select an individual registry key.

User Guide
67
Expand the hierarchy to locate and select a registry key. Then click the Add button to add it to the
selection list box at the bottom of the dialog. Repeat to add additional registry keys.
NOTE: If you selected the Add With Events command, the registry key hierarchy pane will be
replaced with a data grid listing the registry keys that have an event associated with it in the
database.
5
To replace a registry key in the selection list, select the new registry key in the hierarchy, select the
old key in the selection list and click the Update button. The entry in the selection list will be replaced
with the new registry key.
To select a registry key on a different computer, click the Browse button to the right of the Path field.
On the Select a Directory Object dialog, use the Browse or Search pages to locate and select another
computer. Click the Select button to save your selection and close the dialog.
On the Add Registry Key dialog, the system registry keys associated with the specified computer will then
be displayed in the hierarchy view.
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for events in all
registry keys except those listed in the what list.
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a registry key every time
the search is run. When this check box is checked, the hierarchy pane/data grid and buttons on
this dialog will be disabled.
Once you have selected the registry keys to be included in the search, click the OK button to save your
When this search is run, Change Auditor will search for the selected events (actions) in the registry
key(s) listed on the What tab.
To search for changes to services:

NOTE: Service auditing is only available when you have applied custom Service Auditing templates that
define the services to be audited. See Service Auditing for more information on capturing service events.
1
On the What tab, expand the Add button and select Subsystem | Service.
NOTE: You can use the Add with Events | Subsystem | Service command (instead of Add |
Subsystem | Service) to select an entity that already has an event in the database.
On the Add Service dialog, select one or more services from the list at the top of the dialog and click the
Add button to move them to the selection list box at the bottom of the page.
You can also click the Add All button to include all the listed services in the search definition.
To select services on a different computer, click the Browse button to the right of the You are viewing
services on field. On the Select a Directory Object dialog, use the Browse or Search pages to locate and
select another computer. Click the Select button to save your selection and close the dialog.
On the Add Services dialog, the services found on the specified computer will then be displayed.
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for events to all
services except those listed in the what list.
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a service every time the
search is run. When this check box is checked, the data grid and buttons on this dialog will be
disabled.
Once you have selected the services to be included in the search, click the OK button to save your
When this search is run, Change Auditor will search for change events to the service(s) listed on the What
tab.
User Guide
68
To search for changes to a specific VMware host or virtual machine:

1
On the What tab, expand the Add button and select Subsystem | VMware.
NOTE: You can use the Add with Events | Subsystem | VMware command (instead of Add |
Subsystem | VMware) to select a host that already had an event associated with it in the
database.
On the Add VMware Host dialog, select the This Object option. Selecting this option enables the
remaining fields/controls on this dialog.
Click the check box under the Host Name heading to specify the VMware host (vCenter
or host computer) to be included in the search.
Server
Select the comparison operator to be used: Like or Not Like
Enter the full name of a VMware host (vCenter Server or individual host computer) or a
pattern (character string and * wildcard character) to be used to search host names for a
match. Use the * wildcard character to match any zero or more characters. For example,
Like *host* will find VMware hosts that contain host anywhere in their name.
To restrict the search to a specific virtual machine, click the check box under the VM Name
heading.
Enter the full name of the virtual machine or a pattern (character string and * wildcard
character) to be used to search virtual machine names for a match. Use the * wildcard
character to match any zero or more characters. For example, Like *dc* will find virtual
machines that contain dc anywhere in their name.
NOTE: If both the Host Name and VM Name are specified, both expressions must be met
before an event will be returned.
Click the Add button to add the expression to the selection list at the bottom of the page.
Repeat this step to add any additional VMware hosts and/or VMs to the search query.
NOTE: When multiple entries are added to the selection list at the bottom of this page, Change
Auditor uses the OR operator to evaluate change events, returning events that meet any of the
entries listed.
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for changes to
all VMware hosts EXCEPT those listed in the what list.
NOTE: Select the Runtime Prompt check box on this dialog to prompt for the VMware host every
time the search is run. When this check box is checked, the options on this dialog are disabled.
3
Once you have defined the VMware hosts/virtual machines to be included in the search, use the OK
button to save your selection and close the dialog.
When this search is run, Change Auditor will search for changes to VMware hosts/virtual machines that
meet the expression(s) specified on the What tab.

User Guide
69
To search for events based on severity:

1
On the What tab, expand the Add button and select Severity.
NOTE: You can use the Add with Events | Severity command (instead of Add | Severity) to select
a severity that already has an event associated with it in the database.
On the Add Severities dialog, select one or more severity levels and click the Add button to add them to
the selection list box at the bottom of the dialog.
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for all events
except those assigned a severity level that is listed in the what list.
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a severity every time the
disabled.
Once you have defined the severity level(s) to be included in the search, use the OK button to save your
When this search is run, Change Auditor will search for events with the severity level(s) that are included
on the What tab.
To search for events based on result:

1
On the What tab, expand the Add button and select Result.
NOTE: You can use the Add with Events | Result command (instead of Add | Result) to select an
entity that already has an event associated with it in the database.
On the Add Results dialog, select one or more result (none, success, protected or failed) and use the Add
button to add them to the selected list box at the bottom of the dialog.
NOTE: Select the Exclude The Above Selection(s) check box if you want to search for all events
except those with the selected result.
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a result every time the
disabled.
Once you have defined the result(s) to be included in the search, use the OK button to save your
When this search is run, Change Auditor will search for events with the result(s) that are included on the
What tab.
Where tab
The Where tab allows you to specify which Change Auditor agents are to be included (or excluded) in the search
definition. You can select individual Change Auditor agents, all agents in a specific domain or a given site. When
multiple where criteria is added to this tab, Change Auditor uses the OR operator to evaluate change events,
returning events that were captured by any of the specified agents, domains or sites.

User Guide
70
The Where tab contains the following information/controls:

Table 9. Where tab: Field/control descriptions
Field/Control
Description
Runtime Prompt
Select this check box to prompt for the where criteria whenever the search is run.
That is, when the Run tool bar button is selected, the Select Active Directory
Objects dialog will be displayed allowing you to locate and select the agent(s),
domain(s) or site(s) to be included in the search definition.
deactivated.
Prompt option.

Selection(s)
Select this check box to specify the agents, domains or sites to be excluded from
the search. That is, Change Auditor is to return events generated from all Change
Auditor Agents except those listed in the Where list.
Where list
By default, all agents will be included in a new search and therefore this list box
will initially be empty.
Once criteria is selected, this list box will contain the agents, domains and sites to
be included in the search (or excluded from the search if the Exclude the
Following Selection(s) option is checked).
To search for events captured by a specific agent, domain or site:

NOTE: By default, all agents will be included in a new search, therefore the list box on the Where tab will
be empty.
1
Open the Where tab and click the Add tool bar button.
On the Choose the Agents, Domains or Sites to Include dialog, use the Browse or Search pages to locate
and select an individual agent, a domain or a site.
NOTE: You can also select the Grid View option to select an agent from a list rather than using the
Explorer View to locate it within your environment.
Click the Add button to add your selection to the selection list box at the bottom of the page.
NOTE: You can use the Add With Events button (instead of Add) to select an agent, domain or site
which already has an event associated with it in the database.
Once you have selected the agents, domains and sites to be included in the search, click the OK button
to save your selection and close the dialog.
The agents, domains and/or sites listed on the Where tab now define where the search will be conducted
when this search is run.
To use a wildcard expression to specify a domain, site or agent:

1
On the Where tab, expand the Add tool bar button and select the Add Wildcard Expression option.
On the Add Where dialog, enter the wildcard expression to be used to search for an agent (NetBIOS
name), domain or site:
characters.
For example, LIKE *local will find all agents whos NetBIOS name ends in local.
By default, the wildcard expression will be used to search for an agent. To search for a domain or
site, select the Domain or Site option.
User Guide
71
wildcard expression to the where list.
When this search is run, Change Auditor will search for change events generated on the domains, sites or
agents whose name matches the specified wildcard expression.
When tab
The When tab allows you to limit the returned results of the search by date and/or time. By default, a new
search is set to include the change events captured this week.
The When tab contains the following information/controls:

Table 10. When tab: Field/control descriptions

Field/Control
Description
Runtime Prompt
Select this check box to prompt for the date and/or time interval whenever the
search is run. That is, when the Run tool bar button is selected, the When dialog
will be displayed allowing you to specify the date/time range to be used in your
search.
deactivated.
Prompt option.
Date Interval
Check one of the following options to change the default setting and define a different date range to limit
your search.
From/To
Last
Select this check box and enter the date range.
From: Enter the start date for your date range; or click the arrow control to
display a calendar from which to select the start date. Only events that
occurred on or after this date will be included in the search.
To: Enter the end date for your date range; or click the arrow control to
display a calendar from which to select the end date. Only events that
occurred before or on this date will be included in the search.
Select this check box and the appropriate relative date and value (i.e., number of
minutes, hours, days, weeks, months, quarters or years).
NOTE: Relative dates are calculated based on the actual date and time when the
search is started.

User Guide
72
Table 10. When tab: Field/control descriptions

Field/Control
Description
This
Select this check box and click the arrow control to select the appropriate
date/time interval:
This Day: Start parameter is TODAY at midnight local time; end parameter is
the current date and time.
This Week: Start parameter is midnight local time on the day specified in
the First Day of Week parameter (Regional and Location setting) on the local
machine (e.g., SUNDAY); end parameter is the current date and time.
(Default for new searches.)
This Month: Start parameter is the first day of the current month at
midnight local time; end parameter is the current date and time.
Time Interval
Use this pane to specify a time range to further limit your search.
From
Use the arrow controls to select or enter the starting time for your time range. Only
events that occurred at or after this time will be included in the search.
To
Use the arrow controls to select or enter the ending time for your time range. Only
events that occurred before or at this time will be included in the search.
Reset
Use the Reset button to clear the time interval settings.
To search for events generated during a specific date/time range:

NOTE: By default, new searches will include the events captured this week (Sunday at midnight, local
time, through the current date and time).
1
Open the When tab.
In the Date Interval pane, check one of the following options to specify a date range to limit your search:
From/To - select this option and enter the date range to be used.
Last - select this option and the appropriate relative date and value (i.e., number of minutes,
hours, days, weeks, months, quarters or years).
This - select this option and click the arrow control to select the appropriate time interval (i.e.,
Day, Week or Month).
In the Time Interval pane, optionally specify a time range to further limit your search.

User Guide
73
Origin tab
The Origin tab allows you to search for events based on the workstation or server from which the event
originated. When multiple origin criteria is specified on this tab, Change Auditor uses the OR operator to
evaluate change events, returning events that originated from any of the specified workstations or servers.
The Origin tab contains the following information/controls:
Table 11. Origin tab: Field/control descriptions
Field/Control
Description
Runtime Prompt
Select this check box to prompt for the originating workstation or server whenever
the search is run. That is, when the Run tool bar button is selected, the Add Origin
dialog will be displayed allowing you to enter the wildcard expression to locate a
specific workstation or server.
deactivated.
Prompt option.

Selection(s)
Select this check box to specify the workstation(s), or server(s) to be excluded

from the search. That is, Change Auditor is to return events originating from all
workstations and servers except those listed in the Origin list.
Origin list
By default, all events regardless of where they originated will be included in a new
search and therefore this list box will initially be empty.
Once criteria is selected, this list box will contain the wildcard expression used to
locate the workstation(s) and server(s) to be included in the search (or excluded
from the search if the Exclude the Following Selection(s) option is checked).
To search for events based on where they originated:

NOTE: By default, all events regardless of the workstation or server from which it originated will be
included in the search.
1
Open the Origin tab.
Click the Add tool bar button.
On the Add Origin dialog, enter the wildcard expression to be used to search for a workstation or server,
based on its NetBIOS name or IP address:
characters.
wildcard expression to the origin list.
When this search is run, Change Auditor will search for change events originating on
workstations/servers whose name or IP address matches the specified wildcard expression.
NOTE: You can use the Add with Events tool bar button (instead of Add) to select a workstation or server
that already has an event associated with it in the database. The workstations/servers available for
selection are based on the when clause (When tab) and the search limit (Info tab) specified for the
current search.
Alert tab
The Alert tab allows you to enable alerting and define how and where to dispatch alerts. Refer to Alert tab
(Search Properties tabs) for a detailed description of the contents of this tab.
User Guide
74
Report tab
The Report tab allows you to enable reporting and define when and where to send the email report. Refer to
Report tab (Search Properties tabs) for a detailed description of the contents of this tab.
Layout tab
NOTE: In previous versions of Change Auditor, this tab was referred to as the Advanced tab.
Using the Layout tab, you can define the data (columns) to be retrieved from the database and displayed for the
selected search. From this tab you can also define the column order, sort criteria and order, groupings and the
format to be used for displaying the retrieved data. The layout defined on this tab is used for both displaying
the search results in the client and for the report layout when reporting is enabled on the Report tab.
The Layout tab contains the following information/controls:

Table 12. Layout tab: Table/Control descriptions
Table
Description
Unselected Columns
Displays the event details that can be retrieved from the database.
Selected Columns
Displays the event details that are being retrieved from the database. It also
displays the order in which the columns will be presented, i.e., the top entry will
be the left-most column in the search results grid/report.
To add and remove columns from this table, use the buttons to the left of the table:
Adds the column selected in the Unselected Columns table to the

Selected Columns table.
Removes the column selected in the Selected Columns table, moving it

back to the Unselected Columns table.
To rearrange or sort the columns for display, use the buttons to the right of the
table:
Moves the selected column up in the list.
Moves the selected column down in the list.
Adds the selected column to the Sort Criteria table. This column is
placed after the column selected in the Sort Criteria table.
Removes the column selected in the Sort Criteria table from the sort
criteria.
Resets the Selected Columns table back to the factory defaults.

User Guide
75
Table 12. Layout tab: Table/Control descriptions

Table
Description
Sort Criteria
Defines the criteria to be used to sort the search results, including:
Order By - specifies the column(s) to be used to sort the data. The primary
sort criteria is listed first.
Direction - specifies whether to present the data in descending or ascending

order
Group By - indicates whether the column is also to be used to group the

data
To rearrange the sort criteria, use the buttons to the right of the table:
Moves the selected column up in the list.
Moves the selected column down in the list.
Search Results
Resets the Sort Criteria and Display Results tables back to the factory
defaults.
Specifies the format to be used to display the search results on the Search Results
page.
When a grouping is defined, select one of the following options:
In a Grid (default)
As a Pie Chart
As a Bar Graph
NOTE: These options are only available when a single level of grouping is defined
(i.e., only one column contains a Yes in the Group By column of the Sort Criteria
table).
NOTE: The options in this table apply only to the search results in the client; they
do not apply to reports.
To customize whats displayed for the selected search:

1
Open the Layout tab.
Review the columns listed in the Selected Columns table (second table from the left) to determine if it
contains the information you want to display for the selected search.
To add a column, select the column from the Unselected Columns table and click the right arrow button
(located between the first two tables) to move it to the Selected Columns table.
You can also drag and drop a column to the Selected Columns table.
To remove a column from display, select the column from the Selected Columns table and click the left
arrow button (located between the first two tables) to move it back to the Unselected Columns table.
You can also drag and drop a column back to the Unselected Columns table.
The Selected Columns table also displays the order the columns will be presented. To rearrange the
order of the columns, in the Selected Columns table select the column to be moved and click the up or
down arrow button (located to the right of the Selected Columns table) to move the selected column to
the desired location. The top entry will be the left-most column in your display/report.
You can also drag and drop columns in this table to define the order.
NOTE: To reset the column selection and arrangements in the Selected Columns table back to the
factory defaults, click the restore button
table.
located next to the lower right-hand corner of this
The Sort Criteria table (third table) defines the order to be used to sort the search results. To define the
sort criteria for your search results, select a column in the Selected Columns table and click the right
arrow button (located to the right of the Selected Columns table) to move it to the Sort Criteria table.

User Guide
76
To specify secondary sort criteria, add the additional column to the Sort Criteria table. Use the arrow
controls to the right of the Sort Criteria table to define the primary (first column in list) and subsequent
sort criteria.
You can also drag and drop columns between the Selected Columns and Sort Criteria tables and within
the Sort Criteria table to define the sort criteria.
7
To change the direction, ascending or descending, select a column in the Sort Criteria table, click in the
Direction cell and select either ascending (ASC) or descending (DESC) from the drop-down menu.
In addition, you can use the Group By column to define groupings. To group the selected searchs results,
select the column to be used for the grouping, click in the Group By cell and select Yes from the dropdown menu.
When a single level of grouping is defined (only one column contains a Yes in the Group By column of the
Sort Criteria table), you can select one of the following options in the Display Results table to define the
display format to be used for the selected search:
In a Grid (default)
As a Pie Chart
As a Bar Graph
NOTE: The settings in the Search Results table does not apply to reports.
NOTE: To reset the settings in the Sort Criteria table and Search Results table back to the default
settings, click the restore button
Criteria table.
located next to the lower right-hand corner of the Sort
10 Click one of the following tool bar commands to save your selections:
Save
Save As | Save As
Save As | Save As Default

NOTE: You can also use the Preview Changes tool bar button to rerun the query to preview the
changes you have made without saving them.
SQL tab
The SQL tab displays the SQL query built to run the selected search. This information is only available once a
search has been created.
NOTE: The SQL tab is hidden by default. To display the SQL tab, use the Action | Show SQL Tab menu
command.
To copy the SQL query:

1
Select the text that is to be copied.

NOTE: To copy the entire SQL query, click before the first word in the query, use the scroll bar to
scroll to the end of the query text, and Shift + click after the last word in the query to select all of
the query statements.
Click the Copy tool bar button.

User Guide
77
XML tab
The XML tab displays the XML representation of the search criteria. This same information can be exported by
right-clicking a search in the Searches list on the Searches page and selecting the Export command.
NOTE: The XML tab is hidden by default. To display the XML tab, use the Action | Show XML Tab menu
command.
To copy the XML code:

1
Select the text that is to be copied.

NOTE: To copy the entire XML code, click before the first character in the XML file, use the scroll
bar to scroll to the end of the text, and Shift + click after the last word in the file to select all of
the XML statements in the file.
Click the Copy tool bar button.

User Guide
78
8
Enable Alert Notifications
Introduction
Enable alerts
Disable alerts
Alert History page
View alert history
Introduction
Change Auditor can generate alerts when certain kinds of configuration changes occur. These alerts appear in
the Change Auditor client and are then dispatched to designated recipients via email (SMTP), SNMP or WMI
events.
NOTE: You cannot enable alerting for search definitions that use the Runtime Prompt option.
NOTE: SMTP, SNMP and/or WMI must be configured to receive Change Auditor alerts BEFORE any alert
notifications will be sent.
Smart Alert Technology provides intelligent event correlation by notifying administrators when event patterns
cause potential security risks. Administrators can customize the Smart Alerts to match their security policies.
For example, if a privileged account is attempting to log on with a bad password at multiple machines within a
predetermined time period, a proactive alert can be generated.
This chapter provides a description of the Alert tab and instructions on how to enable and disable alert
notifications. It also provides a description of the Alert History page and instructions for viewing and deleting
the alert history. For a description of the other dialogs mentioned in this chapter, refer to the online help.

The Alert tab displays the current alert configuration for the selected search definition. From the Alert tab, you
can enable/disable an alert notification for the selected search definition, define how and where to dispatch
the alert (via SMTP (email), SNMP and/or WMI), and modify the alert configuration settings.

User Guide
79
Use the controls on the Alert tab as described below.

Table 13. Alert tab: Field/Control descriptions
Field/Control
Description
Alert Enabled
Select the Alert Enabled check box to enable an alert for the current search
definition.
This option will became available only after one of the transport methods are
selected in the Send Alert To setting on this tab.
Alert Configuration pane

Send Alert To
Select all of the transport options that are to be applied to this search definition:
SNMP - Select this option to dispatch Change Auditor alerts for this search
definition via SNMP traps.
WMI - Select this option to dispatch Change Auditor alerts for this search
definition via WMI (Windows
History Search Limit
Management Instrumentation) events.
SMTP - Select this option to dispatch alerts for this search definition via
email. Selecting this option will display the Alert Custom Email dialog
allowing you to specify the email address of the person(s) who are to
receive the email notification.
By default, up to 50,000 events can be included in the alert history. Use the arrow
controls to increase or decrease this value to define the maximum number of
events to be included in the alert history.
NOTE: The History Search Limit setting is a global setting and changes made to
this setting will be applied to ALL alerts.
Configure Email
For SMTP alerts, click the Configure Email button to display the Alert Custom
Email dialog to change the details about the alert email to be sent, including the
To address, the Reply To address, and the Subject Line. In addition, from the Alert
Custom Email dialog you can access the Alert Body Configuration dialog to
configure the body of the email alert.
NOTE: If SMTP is not configured, a message box appears stating that the
Coordinator email configuration has not been configured. Open the Administration
Tasks tab and use the Coordinator Configuration page to enable email notification
and configure SMTP.
Events Per Email
For SMTP alerts, a maximum of 100 events will be included in a single alert email
by default. Use the arrow controls to increase or decrease this value to define the
maximum number of events to be included in an email.
Time zone
For SMTP alerts, use this field to specify the time zone to be used for the alerts
date/time stamp in the notification emails. By default, the time zone of the
machine where the Change Auditor client resides will be used.
Smart Alert pane

Smart Alert Enabled
Select this check box to specify under what conditions an alert is to be sent. This
feature is only available for SMTP and SNMP notifications.
Send Alert When <nn>

Select this option to specify the number of events that must occur within a
Events Occur Within <nn> specified time interval before generating/dispatching the alert.
<interval>
Where: <interval> is one of the following: minutes, hours or days
On A Single Object
Select this check box to specify that the event must occur for the same object the
specified number of times before the alert will be triggered. When this check box
is cleared (default), the event can occur on any object the specified number of
times to trigger the alert.

User Guide
80
Enable alerts
Using the Searches page, you can enable/disable alert notifications for individual search definitions and
dispatch them via SMTP (email), SNMP or WMI.
NOTE: The right-click commands available for enabling/disabling alert notifications are available when
multiple search definitions are selected. However, you can only enable/disable alert notifications using
the Alert tab when a single search definition is selected.
To enable SMTP (email) alerts for individual search definitions:

NOTE: In order to dispatch configuration change alerts through email (SMTP) you must first enable email
notification and define the mail server to be used on the Coordinator Configuration page. See Configure
email alert notifications/reports in the Coordinator Configuration chapter.
1
Expand the Private or Shared folders in the explorer view to locate the search to which an alert is to be
associated. Select the search from the Search list in the right-hand pane.
Use one of the following methods to enable an alert:
Right-click the search and select the Alert | Enable Transport | SMTP command.
Open the Alert tab and select the SMTP check box and then the Alert Enabled check box. (If the
Search Properties tabs are not being displayed, right-click the search definition and select Show
Properties).
NOTE: If SMTP is not configured, a message box will display stating that the coordinator email
configuration has not been configured. Open the Administration Tasks tab and use the Coordinator
Configuration page to configure SMTP.
Using either of these methods displays the Alert Custom Email dialog allowing you to enter the email
address of the person(s) who are to receive the alert notification.
Enter or click the browse button

to specify the user(s) who are to receive the alert notification.
Selecting the browse button displays one of the following dialogs:
The Select Active Directory Objects dialog (directory object picker) where you can use the
Browse or Search page to locate Active Directory user(s). This dialog is displayed when no
Exchange host is specified in the SMTP Configuration pane of the Coordinator Configuration page.
The Search Users dialog allowing you to locate and select an Exchange user (Exchange tab) or an
Active Directory user (Active Directory tab). This dialog is displayed when an Exchange host is
defined in the SMTP Configuration pane of the Coordinator Configuration page.

User Guide
81
NOTE: You can enter an individual email address or distribution list address in the To, Cc or Bcc
fields. You can also send the alert notification to additional recipients by selecting the appropriate
check box, as described below:
Add Who - Select this check box to send an alert to the user who initiated the change that
triggered the alert.
Add Owner(s) - Select this check box to send an alert to the Exchange Mailbox owner whose
mailbox was accessed by another user and their action triggered an alert. (This feature only
applies to Exchange Mailbox Monitoring, which is available in Change Auditor for Exchange.)
Add Managed By - For events associated with groups that are being managed by another
account, select this check box to send an alert to the managing users email.
Once a check box is selected, select the corresponding option to add it to the To, Cc or Bcc field.
By default, the values entered on the SMTP Configuration pane of the Coordinator Configuration page
will be used for the following fields/settings:
Reply To address
Subject line
email format (Plain Text or HTML)
body of the email alert
If you do not want to use these default settings for the current search query, you can modify them on the
Alert Custom Email dialog. To modify the body of the email alert, click the Configure Body button.
Once you have finished specifying the recipient email addresses, click OK to save your selections and
close the dialog.
5
In addition, you can change the following alert configuration settings using the Alert tab (Search
Properties tabs):
By default, up to 50,000 events will be included in the alert history. Use the History Search Limit
setting to change this value. (This setting is a global setting and changes made to this setting will
be applied to ALL alerts.)
By default, a maximum of 100 events will be included in a single alert email. Use the Events Per
Email setting to change this number.
By default the time zone of the machine where the Change Auditor client resides will be used for
an alerts date/time stamps in the email. To change the time zone to be used for these date/time
stamps, select the time zone from the drop-down list.
If you want to specify under what conditions an alert is to be sent, select the Smart Alert
Enabled check box and specify the number of events that must occur within a specified time
interval before generating/dispatching the alert.
By default, a smart alert is generated when the event occurs on any object the specified number
of times. You can however, select the On a Single Object option to have the smart alert triggered
when the event occurs on the same object the specified number of times.
NOTE: If using the Alert tab, be sure to click the Save button to save the alert definition.
When an alert is enabled, the following indicators are added to the Searches list:
Type - the icon for the search (magnifying glass) changes to a check mark and the label changes
from Search to Alert (e.g., Shared Alert)
Alert - displays Enabled
Alert To - displays the email address of any users who are to receive the alert email
Alert Cc - if specified, displays the email address of any users who are to receive a copy of the
alert email
User Guide
82
Alert Bcc - if specified, displays the email address of any users who are to receive a blind copy of
the alert email
To enable SNMP alerts for individual search definitions:

NOTE: In order to generate SNMP alerts, SNMP must be installed and the trap receiver must be started.
1
Expand the Private and Shared folders in the explorer view to locate the search to which an alert is to
be associated. Select the search from the Search list in the right-hand pane.
Right-click the search and select the Alert | Enable Transport | SNMP command.
Open the Alert tab at the bottom of the page, select the SNMP check box, then the Alert Enabled
check box. (If the Search Properties tabs are not being displayed, right-click the alert definition
and select the Show Properties menu command).
In addition, you can change the following alert configuration settings using the Alert tab (Search
Properties tabs):
If you want to specify under what conditions an alert is to be sent, select the Smart Alert
Enabled check box and specify the number of events that must occur within a specified time
interval before generating/dispatching the alert.
By default, a smart alert is generated when the event occurs on any object the specified number
of times. You can however, select the On a Single Object option to have the smart alert triggered
when the event occurs on the same object the specified number of times.
To enable WMI alerts for individual search definitions:

NOTE: In order to generate WMI alerts, WMI must be installed and started. A WMI event consumer must
also be running on the coordinator server.
1
Expand the Private and Shared folders in the explorer view to locate the search to which an alert is to
be associated. Select the search from the Search list in the right-hand pane.
Right-click the search and select the Alert | Enable Transport | WMI command.
On the Alert tab, select the WMI check box and then the Alert Enabled check box. (If the Search
Properties tabs are not being displayed, right-click the alert definition and select the Show
Properties menu command).
In addition, you can change the following alert configuration setting using the Alert tab (Search
Properties tabs):
User Guide
83
Disable alerts
NOTE: The right-click commands available for enabling/disabling alert notifications are available when
multiple search definitions are selected. However, you can only enable/disable alert notifications using
the Alert tab when a single search definition is selected.
To disable alerts:
1
Expand the Private and Shared folders in the explorer view to locate the alert-enabled search to be
disabled. Select the alert from the Search list box in the right-hand pane.
Use one of the following methods to disable an alert:
Right-click the alert and select the Alert | Disable Alert command. A message box will be
displayed asking you to confirm that you want to disable the alert. Click Yes.
Open the Alert tab, clear the Alert Enabled check box. (If the Search Properties tabs are not
being displayed, right-click the alert definition and select the Show Properties menu command.)
NOTE: If using the Alert tab, click the Save button to apply the change.
When the alert is disabled, the Alert column displays Disabled.
In addition to disabling an alert, you can also disable the alerting transports for an alert-enabled search.
To disable SMTP alerts for individual search definition:

1
disabled. Select the alert from the Search list in the right-hand pane.
Right-click the alert and select Alert | Disable Transport | SMTP. A message box will be
Open the Alert tab, clear the SMTP check box and the Alert Enabled check box. (If the Search
Properties menu command.)
If this is the only transport or when all transports are disabled, the definition returns to a Search type.

User Guide
84
To disable SNMP alerts for individual search definition:

1
Right-click the alert and select Alert | Disable Transport | SNMP. A message box will be
Open the Alert tab, clear the SNMP check box and the Alert Enabled check box. (If the Search
To disable WMI alerts for individual search definition:

1
Right-click the alert and select Alert | Disable Transport | WMI. A message box will be displayed
asking you to confirm that you want to disable the alert. Click Yes.
Open the Alert tab, clear the WMI check box and the Alert Enabled check box. (If the Search
Alert History page

The Alert History page is accessed by selecting an alert enabled search, right-clicking and selecting the Alert |
History command. This page displays details regarding the events that triggered the selected SMTP alert,
including the time the alert was triggered, if the alert was successfully sent, a description of the event that
triggered the alert and, if applicable, an error message stating the alert was not sent.
NOTE: Regardless of the alert state (enabled or disabled) the alert history for an alert-enabled search is
always available until it is removed using the Alert | Delete History right-click menu command.
The data grid on this page contains the following information for each event that triggered an alert:
Table 14. Alert History page: Field descriptions
Column
Description
Time Alerted
Displays the time the alert occurred.
Alert Type
Displays SMTP for the type of alert that was generated.
Sent
Indicates whether the alert was successfully sent: Yes or No.
Description
Displays a description of the events that caused this alert to be triggered.
Error Message
Displays an error message if the alert was not successfully sent.

User Guide
85
View alert history

For each enabled alert, two additional context menu commands become available whenever you right-click an
alert-enabled search definition on the Searches page: Alert | History and Alert | Delete History.
NOTE: The Alert | History and Alert | Delete History right-click commands are available for any search
that has ever had an alert enabled in the current product version, regardless of its current state. These
commands are not available for disabled alerts, only after the alert history has been deleted using the
Alert | Delete History command.
To view the alerts triggered for a search:

1
On the Searches page, select an alert-enabled search definition, right-click, expand the Alert command
and select the History option.
This will open a new Alert History page, which displays details regarding the alerts triggered for the
selected search.
To delete alert history:

1
On the Searches page, select an alert-enabled search, right-click, expand the Alert command and select
the Delete History option.
Selecting this command will clear the alert history for the selected alert.
NOTE: Change Auditor deletes alerts in batches of 1000, so the alert history will not be
immediately cleared; however, refreshing the screen will show the number of alerts decreasing.
View event details or alert properties

From an Alert History page, you can view the alert properties (Alert tab) used to generate the displayed alerts
or access more detailed information about an individual alert. Using the tool bar buttons at the top of an Alert
History page, you can easily switch between the Alert tab and Event Details pane.
To display event details for an alert:

1
Open an Alert History page and select an alert from the grid.
If neither the Alert tab or Event Details pane are being displayed (or the Alert tab is displayed), use one
of the following methods to display the event details:
double-click the alert entry in the results grid
click the Event Details tool bar button
right-click the alert and select Event Details
To hide the Event Details pane, use the hide button

pane.
in the upper right corner of the Event Details
To display the alert properties for an alert:

1
Open an Alert History page and select an alert from the grid.
If neither the Alert tab or Event Details pane are being displayed (or the Event Details pane is displayed),
use one of the following methods to display the search properties:
click the Alert Properties tool bar button
right-click the alert and select Alert Properties
To hide the Alert tab, use the hide button
in the upper right corner.

User Guide
86
9
Administration Tasks
Administration Tasks tab
Administration Task lists
Export/import Administration Task settings
Administration Tasks tab

The Administration Tasks tab allows you to perform a variety of administration tasks based on the Change
Auditor licenses that are applied. Use the View | Administration menu command to display the Administration
Tasks tab, which consists of a navigation pane to the left and information pages to the right.
NOTE: Authorization to use the administration tasks on the Administration Tasks tab is defined using the
Application User Interface page. Members of the ChangeAuditor Administrators security group have full
administrative privileges with access to all aspects of the Change Auditor client. Members of the
ChangeAuditor Operators security group only have limited access to the Change Auditor client and
therefore, do NOT have access the Administration Tasks tab. For more information about assigning
users/groups authorization to this tab, refer to the Change Auditor User Interface Authorization chapter.
The Administration Tasks tab navigation pane is divided into different task lists: Configuration, Auditing and
Protection. Click a task button from the bottom of the navigation pane to display a task list. Then select a task
from the displayed task list to display the appropriate information page, from which you can perform the
corresponding administrative task.
Administration Task lists

The following table lists the navigation panes task lists and a brief description of the administrative tasks that
can be performed. Many of the tasks listed require a specific Change Auditor license, which is indicated by the
following codes in the last column of the table:
Any - does not require a specific license; available with any license
CAAD - Change Auditor for Active Directory
CAEX - Change Auditor for Exchange
CAFS - Change Auditor for Windows File Servers
CASQL - Change Auditor for SQL Server
CAAD-Q - Change Auditor for Active Directory Queries
CAEMC - Change Auditor for EMC
CANA - Change Auditor for NetApp
CASP - Change Auditor for SharePoint

User Guide
87
CASW - Change Auditor for SonicWALL

NOTE: The product will not prevent you from performing any of the administration tasks on the
Administration Tasks tab; however, associated events will not be captured and/or associated protection
will not occur unless the proper license is applied.
To hide unlicensed Change Auditor features from the Administration Tasks tab (including unavailable audit
events throughout the client), use the Action | Hide Unlicensed Components command.
For more detailed information on how to perform an administrative task or a description of the page that is
displayed, refer to the appropriate chapter in the different Change Auditor user guides.
Table 15. Administration Task tab: Task descriptions
Task List/Task
Description
License
Configuration
The following tasks are available in the Configuration task list:
Agent
Define and assign agent configurations.
Any
Coordinator
Enable email alert notifications/reports, configure mail server

to be used for SMTP alerting/reporting, define group
membership expansion, and modify agent heartbeat check
interval.
For more information, see Agent Configurations.

Any
For more information, see Coordinator Configuration.

Purge and Archive Jobs
Define and schedule purge jobs for deleting events from the
production database.
Any
Define and schedule archive jobs to create a yearly archive

database for older events that are no longer required to be
represented in your reports.
For more information, see Purging and Archiving your Change
Auditor Database.
Private Alerts and Reports
View and manage all private search queries where alerting

and/or reporting has been enabled.
Any
For more information, see Disable Private Alerts and Reports.

Report Layouts
Define report layout templates which contain the header/footer Any

information to be used in reports.
For more information, see Generate and Schedule Reports.
Application User Interface
Define who is authorized to use the various Change Auditor

client features.
Any
In addition you can define who is authorized to view the Active
and Group Policy protection tasks in Change Auditor.
Directory
For more information, see Change Auditor User Interface

Authorization.
Auditing
The Auditing task list is divided into separate lists that identify configuration tasks, forest-level tasks that are
globally applied, tasks that define auditing for different applications, server-level tasks that must be assigned
to an agent configuration, and tasks that define NAS device auditing and SonicWALL device auditing.
Configuration
Use the tasks under this heading to configure the audit events to be captured by Change Auditor and to define
accounts that are to be excluded from auditing.
Audit Events
Enable/disable event auditing and modify an events severity

level or description.
Any
For more information, see Enable/Disable Event Auditing.

User Guide
88

Task List/Task
Description
License
Excluded Accounts
Any
Create Excluded Accounts templates to define individual
accounts that are to be excluded from Change Auditor auditing.
For more information, see Account Exclusion.
Forest
Use the tasks under this heading to define custom auditing definitions for your Active Directory forest.
Active Directory
Define custom Active Directory object class auditing.
CAAD
For more information, see the Dell Change Auditor For Active
Directory User Guide.
Attributes
Define custom Active Directory attribute auditing.
CAAD
For more information, see the Dell Change Auditor for Active
Member of Group
Define a Member of Group auditing list to specify the users to be CAAD

audited based on their group membership.
Excluded AD Query
Define the Active Directory containers that are to be excluded

from AD query auditing.
CAAD-Q
Directory Queries User Guide.
ADAM (AD LDS)
Define custom ADAM (AD LDS) object auditing.
CAAD
Attributes
Define custom ADAM (AD LDS) attribute auditing.
CAAD
Applications
Use the tasks under this heading to define auditing for different types of applications within your
environment.
Exchange Mailbox
Define an Exchange Mailbox auditing list to specify which

directory objects mailbox activities are to be audited by
Change Auditor for Exchange.
CAEX
For more information, see the Dell Change Auditor for

Exchange User Guide.
Exchange Online
Specify the Exchange Online mailboxes that are to be audited by CAEX

Change Auditor for Exchange.
SQL
SQL Server
SQL Data Level
Create SQL Auditing templates to define the SQL instances and

operations that are to be audited.
CASQL
Create SQL Data Level Auditing templates to define the

operations that are to be audited.
For more information, see the Dell Change Auditor for SQL
Server User Guide.
VMware
Create VMware Auditing templates to define the VMware hosts

to be audited and the Change Auditor agent to be used to audit
these hosts.
Any
For more information, see VMware Auditing.

User Guide
89

Task List/Task
SharePoint
Description
License
Auditing templates to define the SharePoint CASP
Create SharePoint
farm to be audited and the Change Auditor agent to be used to
audit this farm.
SharePoint User Guide.
Server
Use the tasks under this heading to create auditing templates that can then be assigned to agent
configurations to enable custom server-level auditing.
File System
Create File System Auditing templates to define the files/folders CAFS

that are to be audited.
Windows File Servers User Guide.
Registry
Create Registry Auditing templates to define the registry keys

and events that are to be audited.
Any
For more information, see Registry Auditing.

Services
Create Service Auditing templates to specify the system services Any

that are to be audited.
For more information, see Service Auditing.
NAS
Use the tasks under this heading to create auditing templates for NAS devices.
EMC
Create a separate EMC Auditing template for each CIFS file

access protocol to be audited by Change Auditor, defining the
EMC file server (CIFS), auditing scope and Change Auditor
agent(s) that are to receive the EMC audit events.
CAEMC
For more information, see the Dell Change Auditor for EMC
User Guide.
NetApp
Create a separate NetApp Auditing template for each NetApp

filer to be audited by Change Auditor, defining the location of
the NetApp filer, the auditing scope, and the Change Auditor
agent(s) that are to receive the NetApp filer audit events.
CANA

NetApp User Guide.
SonicWALL
Use the tasks under this heading to create auditing templates for SonicWALL web site and cloud storage
auditing.
Web Site
Create SonicWALL Web Site Auditing templates to specify the

web site URLs that are to be audited.
CASW

SonicWALL User Guide.
Cloud Storage
Create SonicWALL Cloud Storage Auditing templates to specify

the cloud storage sites to be audited.
CASW

SonicWALL User Guide.

User Guide
90

Task List/Task
Description
License
Protection
The Protection task list is divided into separate task lists as well: one for forest-level tasks that are globally
applied, one for tasks that define protection for applications, and another for server-level tasks that must be
assigned to an agent configuration.
Note: To use Active Directory Protection templates, you must be logged in to Change Auditor with an account
with Enterprise Admin privileges.
Forest
Use the tasks under this heading to define global protection definitions for your Active Directory forest.
Active Directory
Create Active Directory Protection templates to define critical

Active Directory objects that are to be protected against
unauthorized modifications.
CAAD
ADAM (AD LDS)
Create ADAM (AD LDS) Protection templates to define critical

ADAM objects that are to be protected against unauthorized
modifications.
CAAD
Group Policy
Create Group Policy Protection templates to define critical

Group Policy objects that are to be protected against
CAAD
Applications
Use the task under this heading to define global protection for your Exchange Mailbox application.
Exchange Mailbox
Create Exchange Mailbox Protection templates to define critical CAEX

Exchange Mailboxes that are to be protected against
Server
Use the task under this heading to create protection templates that can then be assigned to agent
configurations to enable server-level protection.
File System
Create File System Protection templates to define critical

files/folders that are to be protected against unauthorized
modifications.
CAFS

Windows File Servers User Guide.
Export/import Administration Task settings

Using the Export and Import commands on the Action menu, you can export/ import the settings defined on
the various Administration Tasks tabs. Selecting one of these commands displays a dialog allowing you to select
the configuration, auditing and protection settings to be exported/imported.
To export Administration Task settings:

1
Open the Administration Tasks tab.
Click the Action | Export menu command.

User Guide
91
On the Export dialog, select the configuration, auditing and protection settings to be exported:
Table 16. Export dialog settings
Configuration
NOTE: By default, all settings except for the Coordinator Configuration and Application User Interface
settings are selected for export. When imported, these configuration settings overwrite any existing
settings that may be present.
Agent
Select to export all agent configurations including

the settings and auditing and protection template
assignments.
NOTE: When selected, the auditing and protection
templates that must be assigned to agent
configurations are selected by default, and cannot
be cleared.
Coordinator
Select to export the coordinator configuration

settings.
NOTE: This option is not selected by default.
Application User Interface
Select to export Change Auditor client feature

authorizations.
NOTE: This option is not selected by default.
Report Layouts
Select to export any Report Layout templates.
Purge Jobs
Select to export any scheduled purge jobs.
Auditing
Audit Events
Select to export the audit event settings, such as

enabled/disabled events, event severity and
descriptions.
Excluded Accounts
Select to export any Excluded Accounts templates.

NOTE: When the Agent option is selected in the
Configuration section of this dialog, this option is
also selected and cannot be cleared. This is
because this type of template must be assigned to
an agent configuration in order to work properly.
Active Directory
Select to export any custom Active Directory

auditing definitions.
Active Directory | Attributes
Select to export any custom Active Directory

attribute auditing definitions.
Active Directory | Member Of Group
Select to export the contents of the Member of

Group list.
Active Directory | Excluded AD Query
Select to export the contents of the Excluded AD

Query list.
ADAM (AD LDS)
Select to export any ADAM (AD LDS) auditing

definitions.
ADAM (AD LDS) | Attributes
Select to export any ADAM (AD LDS) attribute

auditing definitions.
Exchange Online
Select to export the Exchange Online Mailbox

auditing list.
Exchange Mailbox
Select to export the Exchange Mailbox auditing

list.

User Guide
92

SQL
Select to export any SQL auditing templates.

VMware
SharePoint
File System
Select to export any VMware
auditing templates.
Select to export any SharePoint

templates.
auditing
Select to export any File System auditing

templates.
Registry
Select to export any Registry auditing templates.

Services
Select to export any Service auditing templates.

EMC
NetApp
SonicWALL
auditing templates.
Select to export any EMC
auditing templates.
Select to export any NetApp
Select to export any SonicWALL web site or cloud

storage auditing templates.
Protection
Active Directory
Select to export any Active Directory protection

templates.
ADAM (AD LDS)
Select to export any ADAM (AD LDS) protection

templates.
Group Policy
Select to export any Group Policy protection

templates.

User Guide
93

Exchange Mailbox
Select to export any Exchange Mailbox protection

templates.
File System
Select to export any File System protection

templates.
Click OK to export the selected settings into an XML file.
On the Save Configuration dialog, select the location where the XML file is to be saved. By default, the
name of the file is Change Auditor Configuration; however, you can change this in the File name field.
Click Save.
NOTE: A similar dialog appears when you use the Action | Import menu command. From this dialog, you
can then select the configuration, auditing and protection settings to be imported.

User Guide
94
10
Agent Configurations
Introduction
Agent Configuration page
Define agent configurations
Assign agent configurations to server agents
Enable event logging
Introduction
Change Auditor assigns the default configuration to each agent, including both server agents and workstation
agents, during deployment. This default configuration consists of the following settings:
System Settings:
Polling Interval: 900 seconds
Forwarding Interval: 5 seconds
Retry Interval: 300 seconds
Maximum events per connection: 1,500
Agent Load Threshold: 10,000
Allowed time for connection: 24 x 7

NOTE: These system settings apply to both server agents and workstation agents.
File System settings:
Discard duplicates that occur within: 10 seconds

NOTE: This setting only applies to file system auditing which is available with Change Auditor for
Windows File Servers, Change Auditor for EMC and Change Auditor for NetApp.
AD Query settings:
Discard query results less than: 0 records
Discard queries taking less than: 20 milliseconds
Discard duplicate queries occurring within: 15 minutes
AD Query auditing enabled

NOTE: These settings only apply to Active Directory
Change Auditor for Active Directory Queries.
query auditing which is available with
Exchange settings:
Discard duplicate folder opens that occur within: 0 seconds

NOTE: This setting only applies to Exchange auditing which is available with Change Auditor for
Exchange.
User Guide
95
VMware settings:
Polling Interval: 60 seconds

NOTE: This setting only applies to server agents.
SonicWALL settings:
AppFlow Collector Port: 2055
Processing Interval: 1 second
Processing Idle Time: 10 seconds
Data Cache Interval: 10 minutes
Purge Interval: 60 seconds
Purge Idle Time: 60 seconds

NOTE: These settings only apply to web site and cloud storage auditing which is available with
Change Auditor for SonicWALL.
TIP: Whenever you upgrade from a previous version of Change Auditor, the default configuration settings
will be restored. Therefore, if you want to modify the default configuration settings, it is best to copy the
default configuration and then save it using a different name.
You can define and assign different agent configurations to each deployed server agent from the Agent
Configuration page on the Administration Tasks tab. However, workstation agents always use the default
configuration; they cannot be assigned to a different agent configuration. Also, when the default configuration
is modified, workstation agents will only receive these modifications when the polling interval determines there
has been a change; clicking the Refresh Configuration button on the Agent Configuration page only pushes
agent configuration changes out to server agents.
In order to enable various custom auditing and protection features, you are required to assign templates to an
agents configuration. The custom auditing and protection features that require custom templates to be
assigned to an agents configuration are:
Excluded Accounts Auditing
File System Auditing
File System Protection
Registry Auditing
Service Auditing
SonicWALL Cloud Storage Auditing
SonicWALL Web Site Auditing
SQL Auditing
NOTE: The NetApp , EMC , SharePoint , VMware and Exchange Online Auditing templates define
which Change Auditor agent(s) are used to capture events; however, these templates do not use the agent
configurations from the Agent Configuration page as described in this chapter. See the Dell Change
Auditor for NetApp User Guide, Dell Change Auditor for EMC User Guide, Dell Change Auditor for
SharePoint User Guide, Dell Change Auditor for Exchange User Guide, or VMware Auditing chapter in
this document for more information.
This chapter describes the Agent Configuration page and how to perform the tasks associated with defining and
assigning configurations to Change Auditor agents. For a description of the other dialogs mentioned, refer to the
online help. For more information on Registry Auditing, Service Auditing and Account Exclusion refer to the
appropriate sections in this document. For more information on File System Auditing and File System
Protection, see the Dell Change Auditor for Windows File Servers User Guide. For more information on SQL
Auditing, see the Dell Change Auditor for SQL Server User Guide. For more information on SonicWALL
auditing, see the Dell Change Auditor for SonicWALL User Guide.
User Guide
96

Use the Agent Configuration page to define and assign agent configurations. The Agent Configuration page is
displayed when Agent is selected from the Configuration task list in the navigation pane of the Administration
Tasks tab.
NOTE: Workstation agents always use the default configuration and cannot be assigned to a different
agent configuration; therefore, they are not included on the Agent Configuration page.
The Agent Configuration page may contain the following information for each server agent that is deployed. The
default column identifies the fields that are displayed by default. To display different fields, use the Field
Chooser button
located to the far left of the column headings.
Table 17. Agent Configuration page: Field descriptions

Column
Default
Active Directory
No
Description
ADAM (AD LDS)
No
Indicates whether ADAM (AD LDS) auditing and/or protection has been
defined.
Agent
Yes
Displays the NetBIOS name of the server that hosts the Change Auditor
agent.
Agent FQDN
No
Displays the fully qualified domain name (FQDN), consisting of the host
and domain name including the top-level domain, of an agent.
Configuration
Yes
Displays the name of the agent configuration assigned to each agent

listed.
Coordinator
No
Displays the computer name of the Change Auditor coordinator that an

agent is connected through.
DB Size
No
Displays the size of an agents database.
Domain
Yes
Displays the name of the domain where the server resides.
EMC
Yes
Events Last 24 Hours
No
Indicates whether Active Directory

been defined.
auditing and/or protection has
Indicates whether an agent has been assigned to an EMC

template to receive EMC events.
auditing
Displays the number of events encountered on the agent during the past
24 hours from when the Agent Configuration page is initially opened
during the current client session or when the page is refreshed using the
Refresh button.
The value in this field is a hypertext link and when selected launches a
quick search to display the events generated in the last 24 hours.
Events Last Hour
No
Displays the number of events encountered on the agent in the last 60

minutes from when the Agent Configuration page is initially opened
during the current client session or when the page is refreshed using the
Refresh button.
The value in the field is a hypertext link and when selected launches a
quick search to display the events generated in the last 60 minutes.
Events Today
No
Displays the number of events encountered on the agent since 12:00

a.m. of the current day (based on the relative coordinator computer's
time).
quick search to display todays events.

User Guide
97

Column
Default
Description
Events Total
No
Displays the number of events encountered since the agent was started.
quick search to display all events encountered since the agent was
started.
Events Yesterday
No
Displays the number of events encountered between 12:00 a.m.

yesterday and 12:00 a.m. of the current day (based on the relative
coordinator computer's time).
quick search to display yesterdays events.
Exchange
No
For agents hosting Exchange, this column indicates whether Exchange

Mailbox auditing and/or Exchange Mailbox protection has been defined.
Exchange Online
Yes
Indicates whether an agent has been assigned to an Exchange Online

Auditing template to receive Exchange Online/Office 365 events.
Exchange Server
No
Indicates whether the server is an Exchange server.
Exclude Account
Yes
Indicates whether an Excluded Accounts Auditing template has been

assigned to an agents configuration.
File System
Yes
Indicates whether a File System Auditing or File System Protection

template has been assigned to an agents configuration.
Forest
No
Group Policy
No
Indicates whether Group Policy protection has been defined.
Last Update
No
Displays the date and time when the agent configuration was last
updated.
NetApp
Yes
Registry
Yes
Indicates whether a Registry Auditing template has been assigned to an

agents configuration.
Service
Yes
Indicates whether a Service Auditing template has been assigned to an

SharePoint
Yes
Indicates whether an agent has been assigned to a SharePoint Auditing

template to capture SharePoint events.
SonicWALL
Yes
Indicates whether a SonicWALL Auditing template has been assigned to

an agents configuration to capture SonicWALL web site or cloud storage
events.
SQL
Yes
Indicates whether a SQL Auditing template has been assigned to an

SQL Data Level
Yes
Indicates whether a SQL Data Level Auditing template has been assigned
to an agents configuration.
Startup Time
No
Displays the date and time when the agent was last initialized.
Status
No
Displays the current status of the agent:
Type
Unsent Events
No
No
Auditing
Indicates whether an agent has been assigned to a NetApp

template to receive NetApp filer events.
active
inactive
uninstalled
Displays the agent platform:
Domain Controller
Global Catalog
Server
Displays the number of events that have not yet been sent to the
coordinator.
User Guide
98

Column
Default
Description
Uptime
No
Displays how long the agent has been running.
Version
No

deployed.
VMware
Yes
Indicates whether an agent has been assigned to a VMware

template to capture VMware events.
Auditing
Define agent configurations

To define a new agent configuration:
1
Click the Configuration task button at the bottom of the navigation pane (left pane).
Select Agent in the Configuration task list to display the Agent Configuration page.
From the Agent Configuration page, click the Configurations tool bar button.
The Configuration Setup dialog appears, which contains a list of configuration definitions available as
well as the means for creating a new configuration.
From this dialog, click the Add button to create a new definition or click the Copy button to duplicate
the configuration selected in the Configurations list box.
This will add a new configuration to the list, allowing you to name the new configuration, specify the
system settings and assign auditing and protection templates to the configuration.
With the new/copied configuration highlighted in the Configuration list, enter the name for your new
agent configuration.
Use the tabbed pages at the top of the dialog to modify the system settings, file system settings, AD
settings, or SonicWALL settings. The settings that can be
Query settings, Exchange settings, VMware

modified on these tabs include:
Table 18. Agent Configuration settings
Setting:
Default:
Valid range:
900 seconds
60 - 9999 seconds
System Settings
Polling Interval

User Guide
99
Table 18. Agent Configuration settings

Setting:
Default:
Valid range:
Forwarding Interval
5 seconds
5 - 999 seconds
Retry Interval
300 seconds
60 - 600 seconds
Max events per connection
1500 events
100 - 99999 events
Agent Load Threshold
10000 events
100 - 100000 events
Allowed time for connection
Sunday - Saturday
12:00 am - 11:59 pm
N/A
File System
The settings on the File System tab only apply when Change Auditor for Windows File Servers, Change
Auditor for EMC or Change Auditor for NetApp is licensed.
Discard duplicates that occur within nn
seconds
Enabled by default
Audit all configured, including

duplicates (Not recommended)
Disabled by default
1 - 600 seconds
10 seconds
N/A
AD Query
The settings on the AD Query tab only apply when Change Auditor for Active Directory Queries is
licensed.
Discard query results less than nn
records
0 records
0 - 99999 records
Discard queries taking less than nn

milliseconds
20 milliseconds
0 - 99999 milliseconds
Discard duplicate queries occurring

within nn minutes
15 minutes
1 - 1440 minutes
AD Query auditing enabled
Enabled by default
N/A
Exchange
The setting on the Exchange tab only applies when Change Auditor for Exchange is licensed.
NOTE: These settings only apply to the Exchange subsystem events; they do not apply to the Exchange
Online subsystem events.
Discard duplicates that occur within nn
seconds
0 seconds
0 - 600 seconds
60 seconds
60 - 9999 seconds
VMware
Polling Interval
SonicWALL
The settings on the SonicWALL tab only apply when Change Auditor for SonicWALL is licensed.
AppFlow Collector Port
2055
1024 - 65535
Processing Interval
1 second
1 - 60 seconds
Processing Idle Time
10 seconds
1 - 60 seconds
Data Cache Interval
10 minutes
1 - 60 minutes
Purge Interval
60 seconds
10 - 600 seconds
Purge Idle Time
60 seconds
10 - 600 seconds
For a detailed description of these settings, refer to the online help.

8
To add an auditing or protection template to the selected configuration, use the Auditing and Protection
Templates pane. This pane displays the auditing and protection templates previously defined.
Use one of the following methods to assign a template to an agent configuration:
Select a template and drag and drop it onto a configuration in the Configuration list.

User Guide
100
Select a configuration from the Configuration list and drag and drop it onto a template in the
Auditing and Protection Templates pane.
Select a configuration, then select a template, right-click and select Assign.
Select a configuration, then select a template, click in the corresponding Assigned cell and click
Yes.
Repeat this step to add additional templates to the selected configuration.

9
If the templates list is empty or you want to define a new template, click the Edit Templates button.
On the Auditing and Protection Templates dialog, select the tab for the type of template to be
added (e.g., Excluded Accounts) and click the Add Template button.
The associated wizard will be displayed allowing you to define the auditing or protection to be
applied. Refer to the appropriate chapters in this guide for details on completing each of these
wizards.
10 Once you have defined the new template, click OK to close this dialog and return to the Configuration
Setup dialog. Select this new template, right-click and select Assign.
11 Once you have named the configuration, selected the system settings and added auditing or protection
templates, click the OK button to save your configuration and return to the Agent Configuration page.
Assign agent configurations to server agents

Once agent configurations are defined they can be assigned to one or more installed server agents. This new
configuration may now be assigned from the Agent Configuration page.
To assign a configuration to an agent from the Agent Configuration page:

1
On the Agent Configuration page, select one or more agents from the agent list and click the Assign tool
bar button or right-click command.
On the Agent Assignment dialog, select the configuration definition to be assigned to the selected agents
and click the OK button.
On the Agent Configuration page, the agent configuration assignment will be updated in the
Configuration column.
Select the agent(s) assigned to the agent configuration and click the Refresh Configuration tool bar
button or right-click command. This will ensure that the assigned agent(s) are using the latest agent
configuration.
To reset ALL agent configurations back to the default configuration:

1
On the Agent Configuration page, click the Default All tool bar button.
A message will be displayed confirming that you want to reset ALL agent configurations back to the
factory default settings. Click Yes.
The agent configuration assignment will be updated in the Configuration column.
Select the agent(s) assigned to the agent configuration and click the Refresh Configuration tool bar
button or right-click command. This will ensure that the assigned agent(s) are using the latest agent
configuration.

User Guide
101
Enable event logging

Using the Agent Configuration page you can also enable the event logging feature which writes Change Auditor
events locally to a Windows
event log. These event logs can then be collected using Dell InTrust to satisfy
long-term storage requirements.

NOTE: Event logging must be enabled for Change Auditors audit events to be available in InTrust.
NOTE: This is a global setting and applies to all Change Auditor agents. However, keep the following in
mind when defining custom auditing:
Disabling Change Auditor events does NOT impact event logging.
Excluding accounts from auditing does NOT impact event logging with the exception of Exchange.
That is, if an Exchange Mailbox account is set to exclude ALL mailbox events, then these events
will also be excluded from the event log.
For Registry events, event logging is disabled by default. When enabled, only configured activities
are sent to the event log.
For Service events, event logging is disabled by default. When enabled, only configured activities
For Active Directory events, event logging is disabled by default. When enabled, all Active
Directory activity is sent to the event log.
For ADAM (AD LDS) events, event logging is disabled by default. When enabled, all ADAM activity is
sent to the event log.
For File System events, event logging is disabled by default. When enabled, only configured
activities are sent to the event log.
For Exchange mailbox events, event logging is disabled by default. When enabled, only configured
Exchange Mailbox activities are sent to the event log. Exchange Online events are NOT logged to
this event log.
For SQL Server events, event logging is disabled by default. When enabled, only configured
For SQL Data Level events, event logging is disabled by default. When enabled, only configured
For AD Query events, event logging is disabled by default. When enabled, all Active Directory
queries, except those specified in the Excluded AD Query list are sent to the event log. When
enabling AD Query event logging, keep in mind that AD Query events could be of very high volume.
For EMC events, event logging is disabled by default. When enabled, only configured activities
For NetApp events, event logging is disabled by default. When enabled, only configured activities
For SharePoint events, event logging is disabled by default. When enabled, only configured
For Lync events, event logging is disabled by default. When enabled, all Lync events are sent to
the event log.
For SonicWALL events, event logging is disabled by default. When enabled, only configured web
site/cloud storage site activities are sent to the event log.

User Guide
102
To enable event logging:

1
From the left-hand pane, select Agent (under the Configuration task list) to display the Agent
Configuration page.
Click the Event Logging tool bar button.
On the Event Logging dialog, select the type of event logging to be enabled:
Active Directory
ADAM (AD LDS)
Exchange
File System
SQL
SQL Data Level
EMC
AD Query
SonicWALL
Registry
Service
Local Account
Change Auditor
NetApp
SharePoint
Lync
NOTE: If an option is disabled, this indicates that you do not have the corresponding component
licensed. For example, if the SharePoint check box is disabled, you do not have a Change Auditor
for SharePoint license.
Click OK to save your selection and close the dialog.

User Guide
103
11
11
Coordinator Configuration
Coordinator Configuration page
SMTP Configuration pane
Configure email alert notifications/reports
Customize alert email content
Group Membership Expansion pane
Add groups to Group Membership Expansion list
Agent Heartbeat Check pane
Coordinator Configuration page

The Coordinator Configuration page is displayed when Coordinator is selected from the Configuration task list
in the navigation pane of the Administration Tasks tab.
This page consists of the following panes:
SMTP Configuration pane - for enabling and configuring SMTP for email alerting and reporting
Group Membership Expansion pane - for defining the schedule for expanding nested membership of
Active Directory groups that are referenced in searches (Who search criteria) or groups that are
defined in the Member of Group auditing feature
Agent Heartbeat Check pane - for specifying how long the coordinator service is to wait before an agent
that is not sending updates will be marked as inactive
This chapter provides a description of the panes listed above and instructions on how to use these panes to
configure email alerting and group membership expansion. For a description of the other dialogs mentioned in
this chapter, refer to the online help.
SMTP Configuration pane

To dispatch alerts and reports through email (SMTP) you must first enable email notification and define the mail
server to be used in the SMTP Configuration pane on the Coordinator Configuration page. In addition, you can
optionally specify Exchange host information if you want to use the Exchange Global Access List (GAL) to lookup
email recipients.

User Guide
104
Configure email alerting and reporting by specifying the following information in the SMTP Configuration pane:
Table 19. Coordinator Configuration page: SMTP Configuration pane field/control descriptions
Field/Control
Description
Enable SMTP for Alerts

and Reporting
Select this check box to enable email alert notifications and reporting. Checking
this option will activate the remaining fields on this page to define the mail server
to be used.
NOTE: The settings set on this page are global settings and will apply to all
alert/report emails. For alerts you can override the reply to, alert subject,
signature and body content for individual search queries using the settings on the
Alert tab (Search Properties tabs). For reports, you can override the To and Reply
addresses, specify carbon copy (Cc and Bcc) recipients, and modify the subject line
for individual search queries using the Report tab (Search Properties tabs).
Mail Server
When SMTP is enabled for alerts and reporting, enter the name or IP address of the
mail server in this text box.
NOTE: Change Auditor sends alerts/reports through a single SMTP (email) relay
configuration even when multiple coordinators are configured. That is, all
coordinators will use the same mail server for sending alert notifications and
reports.
From Server
Enter the email address from which alert notifications and reports are to originate.
Instead of entering an email address, you can use the browse button to the far right
of the From Address field to select the user whose email address is to be used for
alert notifications and email reports.
Clicking this button displays one of the following dialogs:
The Select Active Directory Objects dialog (Directory object picker) allows
you to locate and select an Active Directory user. Use the Browse or Search
page to locate and select an Active Directory
user.
This dialog is displayed when no Exchange host is specified in the SMTP

Configuration pane of the Coordinator Configuration page.
The Select Exchange Users dialog allows you to search for and select a mailenabled object from the Exchange Global Access List (GAL). On the
Exchange tab, enter a name or partial name, at least three characters long,
and click the Search button to lookup mail-enabled objects in the GAL. On
the Active Directory tab, use the Browse or Search page to locate and select
an Active Directory user.
This dialog is displayed when an Exchange host is defined in the SMTP Configuration
pane of the Coordinator Configuration page.
Reply To
Enter the address where replies to alert/report emails are to be sent.

User Guide
105
Field/Control
Description
Instead of entering an email address, you can use the browse button to the far right
of the Reply To field to select the user whose email address is to be used for alert
notifications and email reports.
Clicking this button displays one of the following dialogs:
The Select Active Directory Objects dialog (Directory object picker) allows
you to locate and select an Active Directory user. Use the Browse or Search
page to locate and select an Active Directory user.
This dialog is displayed when no Exchange host is specified in the SMTP
The Select Exchange Users dialog allows you to search for and select a mailenabled object from the Exchange Global Access List (GAL). On the
Exchange tab, enter a name or partial name, at least three characters long,
and click the Search button to lookup mail-enabled objects in the GAL. On
the Active Directory tab, use the Browse or Search page to locate and select
an Active Directory user.
This dialog is displayed when an Exchange host is defined in the SMTP Configuration
pane of the Coordinator Configuration page.
Alert Subject
Enter a customized subject line to replace the default text in the subject line for
alert notifications. The default subject line contains the following information:
Change Auditor %Alert_Type% from %Alert_Coordinator_Name%: %Alert_Name%
Where:
%Alert_Type% is either Alert or Smart Alert
%Alert_Coordinator_Name% is the name of the coordinator generating the
alert
%Alert_Name% is the name of the alert that fired
NOTE: The Alert Subject does not apply to email reports.
Click the browse button to the far right of the Subject Line field to select the
variable(s) to be inserted into the subject line or to reset it back to the default
content.
Expand the Insert Variable option to insert one or more of the following variables
into the subject line:
ALERT_NAME
ALERT_TIME_SENT
ALERT_TYPE
ALERT_COORDINATOR_DOMAIN
ALERT_COORDINATOR_NAME
SMART_ALERT
SMART_ALERT_GROUPING
SMART_ALERT_OCCURRENCE
SMART_ALERT_PERIOD
SMART_ALERT_PERIOD_UNIT
BATCH_ID
EVENT_COUNT
Select the Restore To Default option to reset the subject line back to the default
content. That is, remove any variables that were inserted.
Send Plain Text Email
Select this option to have the email notification sent in plain text format. (Default)
Send HTML Email
Select this option to have the email notification sent in HTML format.

User Guide
106
Field/Control
Description
Configure Body
Click this button to launch the Alert Body Configuration dialog where you can
define the content of the main body, the event details and the signature to be
included in your alert emails.
My Server Requires
Authentication
Select this check box if the specified mail server requires authentication and enter
the account information as described below.
Account Name
Enter the account name required to authenticate to the specified mail server.
Instead of entering the account name, you can use the browse button to the far
right of the Account Name field to select the account to be used. Clicking this
button displays the Select Active Directory Object dialog (Directory object picker).
Use the Browse or Search pages to locate the user account to be used to
authenticate to the mail server.
Password
Enter the password associated with the account name entered above.
NOTE: Blank passwords are NOT allowed.
Enable SSL
Select this check box to enable Secure Socket Layer (SSL) encryption protocol to
create a secure connection for transmitting data from the mail server.
Exchange Host
(Optional) Entering the Exchange host information allows you to lookup email
recipients from the Exchange GAL in addition to Active Directory. That is, when you
click a browse button on the SMTP Configuration pane, Alert Custom Email dialog or
Report tab to lookup an email recipient, the Select Exchange Users dialog appears
which contains both an Exchange tab and an Active Directory tab.
Enter the internet host name of the Exchange mail server.
Use the field to the right of the Exchange Host field to select the Exchange version
associated with the specified Exchange host.
Email
Enter your full email address.
My Host Requires
Authentication
Select this check box if the specified Exchange host requires authentication and
enter the account information as described below.
Account Name
Enter the user account name used to log into your email account.
Instead of entering the user name, you can use the browse button to the far right of
the Account Name field to select the account to be used. Clicking this button
displays the Select Active Directory Object dialog (Directory object picker). Use the
Browse or Search pages to locate the user account to be used to authenticate to the
Exchange host.
Password
Enter the password associated with the account name entered above.
NOTE: Blank passwords are NOT allowed.
Configure email alert notifications/reports

In order to dispatch configuration change alerts or reports through email (SMTP), you must enable email
notification on the Coordinator Configuration page.
NOTE: The settings set on this page are global settings and will apply to all email alert notifications and
reports.
For alerts, you can override the reply to, alert subject, signature and body content for individual search
queries using the settings on the Alert tab (Search Properties tabs).
For reports, you can override the reply to address for individual search queries using the Report tab
(Search Properties tabs).

User Guide
107
NOTE: Change Auditor sends alerts through a single SMTP (email) relay even when multiple coordinators
are configured. That is, all coordinators will use the same mail server for sending alert notifications and
reports.
To enable and configure email notifications/reports:

1
Open the Administration Tasks page.
Select Coordinator in the Configuration task list to open the Coordinator Configuration page.
On the SMTP Configuration pane, select the Enable SMTP for Alerts and Reporting option to enable
email alert notifications and reporting. Checking this option will activate the remaining fields on this
page to define the mail server to be used.
Enter the following information:
Mail Server
From Address
NOTE: Use the browse button to the right of the From Address field to launch the Select
Active Directory Object dialog (Directory object picker) or Select Exchange User dialog.
From the Select Active Directory Object dialog, use the Browse or Search page to locate and
select a user.
If the Exchange Host information is entered at the bottom of the SMTP Configuration pane,
the Select Exchange Users dialog appears. On the Exchange tab, enter a name or partial
name, at least three characters long, in the Find field and click Search to lookup and select
an Exchange user. On the Active Directory tab, use the Browse or Search page to locate and
select an Active Directory
user.
Reply To
NOTE: Use the button to the right of the Reply To field to launch the Select Active
Directory Object dialog (Directory object picker) or Select Exchange User dialog.
From the Select Active Directory Object dialog, use the Browse or Search page to locate and
select a user.
If the Exchange Host information is entered at the bottom of the SMTP Configuration pane,
the Select Exchange Users dialog appears. On the Exchange tab, enter a string at least three
characters long in the Find field and click Search to lookup and select an Exchange user. On
the Active Directory tab, use the Browse or Search page to locate and select an Active
Directory user.
Alert Subject
NOTE: Use the button to the right of the Alert Subject field to insert a variable into the
subject line or to reset it back to the default content.
Select the appropriate option to have the email notification/report sent in plain text format (default) or
HTML format.
Optionally, click the Configure Body button to launch the Alert Body Configuration dialog where you can
define the content of the main body, the event details and the signature to be included in your alert
emails. After configuring the alert body, click OK to return to the Coordinator Configuration page.
NOTE: The Alert Body Configuration settings do not apply to email reports. To define the content
(columns) to be included in a report, use the Layout tab. In addition, you can use the Report
Layouts page (Administration Tasks tab) to create customized report layout template(s) defining
the header and footer information to be used in your reports.

User Guide
108
If the specified mail server requires authentication, select the My Server Requires Authentication
check box and enter the account credentials to be used.
NOTE: Use the button to the right of the Account Name field to launch the Select Active Directory
Object dialog (Directory object picker). From this dialog, use the Browse or Search page to locate
and select a user.
(Optional) Enter the Exchange host information as described below:
Exchange Host: Enter the internet host name of your Exchange mail server. Use the field to the
far right of the Exchange Host field to specify the Exchange version for your Exchange host.
Email: Enter your full email address.
My Host Requires Authentication: Select this check box if the Exchange host requires
authentication and enter the Account Name and Password used to log into your email account.
NOTE: Use the button to the right of the Account Name field to launch the Select Active
Directory Object dialog (Directory object picker). From this dialog, use the Browse or
Search page to locate and select a user.
Configuring the Exchange host allows you to lookup email recipients using the Exchange GAL or Active
Directory. That is, when you select a browse button to lookup an email recipient from the top part of the
SMTP Configuration pane, Alert Custom Email dialog or Report tab the Select Exchange User dialog
appears which contains an Exchange tab where you can enter a partial name to lookup users from the
Exchange GAL.
9
Click the Test SMTP tool bar button to test the mail server configuration.
10 Once the mail server configuration is verified, click the Apply Changes tool bar button to save the
configuration.
11 Now that SMTP alerting/reporting is enabled and configured, you can enable email alert notifications for
individual search definitions using the Alert tab (Search Properties tabs) and/or reporting for individual
search definitions using the Report tab (Search Properties tabs).
Customize alert email content

In addition to the customizable fields (Reply To, Alert Subject and Signature) on the Coordinator Configuration
dialog, you can use the Configure Body button to define the content to be used in the main body of your alert
emails as well as the event details to be included.
NOTE: When accessed through the Coordinator Configuration page, these settings will apply globally to all
alert emails. However, if accessed through the Alert tab, these settings will apply to the selected alert
only.
NOTE: The Alert Body Configuration settings do not apply to email reports. To define the content
(columns) to be included in a report, use the Layout tab. In addition, you can use the Report Layouts page
(Administration Tasks tab) to create customized report layout template(s) defining the header and footer
information to be used in your reports.
To customize alert email content:

1
Click the Configure Body button to display the Alert Body Configuration dialog.
On the Alert Body Configuration dialog, select the appropriate option (at the bottom of the dialog) to
edit either the Plain Text (default) or the HTML representation of the alert emails.
Use the Main Body tab to enter the text to be included and define the overall layout of the alert body.
Select the Show Variables check box to display the variables that can be added to the main body
of your email.

User Guide
109
To add a variable, double-click the variable from the Variable list at the bottom of the page. You
can also drag and drop a variable from the Variable list into the main body text box.
NOTE: The event details defined in the Event Details tab are placed in the Main Body pane using
the following tag: %EVENT_DETAILS%. This tag should NOT be removed from the Main Body tab if
you want to include the event details in the alert emails.
Use the Event Details tab to specify the event details to be included. That is, you can rearrange the
entries, remove entries, or modify text, etc.
Select the Show Variables check box to display a list of the variable that can be added to the
event details of your alert email.
To add a variable, double-click the variable from the Variable list at the bottom of the page. You
can also drag and drop a variable from the Variable list into the Event Details text box.
NOTE: Do NOT modify the blue text surrounded by percent signs (e.g., %USERNAME%). These are
tags which represent actual data retrieved from the Change Auditor event that triggered the alert.
See Change Auditor Email Tags for more information on these tags and the data retrieved by each.
Use the Signature tab to define the content of the signature line to be used in alert emails.
After you have entered the body content and defined the event details and signature line to be included,
select the Preview tab to view a sample email using your defined format and content.
Once defined, click the OK button to save your settings and close the Alert Body Configuration dialog.
NOTE: Click the Restore to Default button to revert back to the default email content and format.
Group Membership Expansion pane

The middle pane of the Coordinator Configuration page contains options which allow you to define the schedule
for expanding nested membership of Active Directory groups that are referenced in searches (Who search
criteria) or groups that are defined in the Member of Group feature. Group membership will be recursively
enumerated in order to determine nested group membership.

User Guide
110
Use the following options to define group membership expansion behavior:

Table 20. Coordinator Configuration page: Group membership expansion options
Options
Description
Select the groups to expand
Select one of the following options to define how you want to expand
groups:
Expand all groups - This expands all groups in the forest. Use this
only if you are using SSIS and need the freedom to make requests for
any group in the forest.
Expand groups that are referenced in existing queries - Change

Auditor must expand all groups in queries in order to get their
membership. With the membership, the events for the groups can
be retrieved. This is always done and cannot be disabled.
Expand groups that are referenced in existing queries and

selected groups (default) - In addition to the groups referenced in
existing queries, you have the ability to select other groups. This
would be useful when you have groups that need expansion for SSIS
database requests, but you do not want to burden your production
system with expanding all groups in the environment.
Group Membership Expansion list The Group Membership Expansion list box is only available when the
Expand groups that are referenced in existing queries and selected
groups option is selected and displays a list of the groups to be expanded.
Use the Add button to add groups to this list box and use the Remove
button to remove groups from the list box.
Add
Use the Add button to add groups to the group membership expansion list.
Clicking this button will display the Select Active Directory Objects dialog
allowing you to locate and select the groups to be added.
See Directory object picker for a description of the Browse, Search and
Options pages. Note that the Find field on this dialog will display Group
and cannot be changed.
Remove
Use the Remove button to remove the selected group from the group
membership expansion list.
Select the refresh frequency

Select from the following options to define how often you want to refresh the group membership expansion
list.
Refresh group membership every
nnn minutes
By default, group membership will be refreshed every 360 minutes. Use the
arrow controls to increase or decrease this value.
Valid range: 10 - 43200
Number of groups to expand

every 5-minute cycle
By default, 20 groups will be expanded every 5-minute cycle. Use the

arrow controls to increase or decrease this value
Refresh the list of expanded

groups every nnn minutes
By default, the group membership expansion list is refreshed every 180

minutes. Use the arrow controls to increase or decrease this value.
Defaults
Use the Defaults button to reset the fresh frequency settings back to the
factory defaults.

User Guide
111
Add groups to Group Membership Expansion

list
By default, the Expand groups that are referenced in existing queries and selected groups option is selected
on the Group Membership Expansion pane of the Coordinator Configuration page. With the option selected, you
can add groups to the Group Membership Expansion list as described below:
1
Click the Add button to display the Select Active Directory Objects dialog.
Use either the Browse page or Search page to locate and select a group to be added to this list. Once a
group is selected, click the Add button on this dialog to add it to the selection list at the bottom of the
dialog.
Repeat this step to add each additional group.
Once you have selected all the groups to be added, click the Select button to save your selection.
The specified groups will now be listed in the Group Membership Expansion list on the Coordinator
Configuration page.
On the Coordinator Configuration page, click the Apply Changes tool bar button to apply your changes
regarding group membership expansion.
Agent Heartbeat Check pane

The bottom pane on the Coordinator Configuration pane allows you to define how long the coordinator service
will wait before an active agent that is not sending updates will be marked as inactive.
Use the following options to define the Agent heartbeat check settings:
Table 21. Coordinator Configuration page: Agent heartbeat check options
Options
Description
Agent goes offline after being inactive

for nn minutes
By default, the coordinator service will mark an agent as inactive

when it has not received any updates from the agent for 30
minutes.
Use this setting to specify the period of time an agent must be
inactive before the coordinator service marks it as inactive.
Coordinator should try to restart agent

service if an agent goes offline
Select this check box if you want to have the coordinator service try
to restart an agent service before it marks it as inactive.

User Guide
112
12
Purging and Archiving your Change
Auditor Database
Introduction
Planning your jobs
Purge and Archive page
Create and maintain jobs
Purge and Archive wizard
Purge selected records

User Guide
113
Introduction
Change Auditor provides several options that allow you to schedule both the purging of events from your
database and archiving older data to an archive database. Automating database cleanup allows you to keep
critical and relevant data online and current while eliminating or archiving events that are no longer required.
This not only prevents your database from growing in size, but it increases overall operational efficiency by
speeding up searches and data retrieval from the database.
Using the purge options, you can define and schedule jobs that will eliminate events from the database based
on the following criteria:
All events older than a specific number of days.
Selected events based on:
Who - purge events generated by a specific user, computer or group.
What - purge events based on subsystem, event class, object class, severity or results.
Where - purge events captured by a specific agent, domain or site.
Origin - purge events originating from a specific workstation or server.
Using the archive options, you can select to create a yearly archive database for older events that are no longer
required to be represented in your reports.
Table 22. Available job types
Job type
Description
Purge
This deletes events from the production database. You can create and
run multiple purge jobs.
When scheduling a purge job, you can choose a batch limit. This limit
tells the job how many events to delete from the production database
before pausing and running another job. Choosing too large of a batch
limit may slow your purge jobs down. If you find that they are slow
reduce the batch limit.
Archive
This moves events from the production database to an archive database

(on the same database server). You can only create and run one
archive job or one purge and archive job.
When scheduling an archive job for the first time it may take a long time
to complete (depending on how many years of data you are asking to be
archived). Batch limit does not apply to an archive type job.
When running an archive job, you need to pay attention to disk space
growth on the SQL server.
Purge and archive
This deletes events (purge job) from the production database, then
immediately performs an archive job to move the remaining records in
the time period specified for the job from the production database to an
archive database. You can only create and run one purge and archive
job or one archive job.
If you select a batch limit, it will only apply to the purging portion of the
job. When the batch limit is reached, the job will immediately run again
ensuring this job type runs to completion before the archive job begins.

User Guide
114
Planning your jobs

Planning your jobs before scheduling them will help ensure they run as expected. Keep in mind, all jobs can
take a significant time to run depending on the amount of data in your environment.
Scheduling a job
When scheduling your jobs, consider the following:
Only one job can run at a time.
Only one archive type job (archive only, purge/archive) can exist. However, multiple purge only jobs can
be scheduled.
Purge only jobs run until they hit the batch limit. When the batch limit is encountered the job pauses
(runs again later) to give another job a chance to run. Archive type jobs will not pause to give other jobs
the opportunity to run until they are complete.
If you have multiple coordinators, only one coordinator will run the job.
Use purge and archive job to ensure deletion of unwanted events completes before archiving begins.
The first time the job is executed it may be working with a large amount of data and therefore may take
a significant amount of time to run.
It is recommended to run jobs frequently so that they are working with less data and complete faster.
Start with one job to see how long it takes to complete, then add more jobs as needed.
If an archiving job is created to archive large amounts of data over multiple calendar years, it may take
a significant amount of time to finish. If you have multiple calendar years of data to archive, select to
archive the oldest calendar year first. When the first archive job finishes, update the job settings to
archive the next calendar year and so on until all the data has been archived.
Enable notification on the purge and archive internal events to monitor job performance.
When multiple jobs types are scheduled to run close together the following behavior will occur:
A list of jobs is created and ordered by next run time. If two jobs have the same run time the archive
type will run first.
Because of this the purge jobs may not complete before the archive or purge and archive jobs
run if you do not plan properly.
Multiple Purge jobs will be executed based on the next run time order.
The purge job type runs until the batch limit is reached (batch limit is the total number of events to
delete) and then pauses to give another purge job a chance to run.
During a job
During a purge and/or archive job, consider the following:
Use internal events to monitor job performance.
Monitor disk space on the SQL server while archiving is in progress. (No Shrink is performed)
Post job considerations

After the purge and/or archive job completes, consider the following:
The physical database size is not changed. (Shrink operation is not performed). Once the archive
database has been created, you should perform a database cleanup (shrink) on the production database
as required to free up disk space.
For information on how to perform a database shrink, see https://msdn.microsoft.com/enus/library/ms189035.aspx.
Multiple archive databases may be created (1 database per archived year).
Archive databases for previous years can be detached and moved to a backup storage if needed.
User Guide
115
Purge and Archive page

The Purge and Archive page is displayed when Purge and Archive is selected from the Configuration task list in
the navigation pane of the Administration Tasks page. From here you can specify the settings for the purge and
archive jobs.
Before creating your jobs, see Planning your jobs on page 115.
Once a job is defined, the page displays the following details about each job:
Table 23. Purge and Archive page: Field descriptions
Column
Description
Job Name
Displays the name assigned to the job when it was created using the Purge and
Archive wizard.
Last Run
Displays the date and time the job last ran.

NOTE: Based on the clients current local date and time. The format used to display
this date and time is determined by the local computers regional and language
setting.
Next Run
Displays the date and time the job is scheduled to run next.
NOTE: Based on the clients current local date and time. The format used to display
this date and time is determined by the local computers regional and language
setting.
Status
Indicates whether the job is enabled or disabled.
Schedule
Displays the schedule defined for running the job.
You will also see information regarding the status of reach job including:
When the job was run.
The duration of the job.
The number of events processed.
The coordinator involved in the process.
Informational messages as to the status if the job:

Immediately continuing job: Displays when the purge portion of a purge and archive job continues.
Archive database not found. Recreating archive database: Displays if an archive database has been
moved or deleted.
Starting job: Displays when the purge, archive, or purge and archive job is beginning.
Successfully finished job: Displays when the purge and archive, purge, or archive job is finished.
New archive database created: Displays when the new archive database has been created for the
calendar year.
Events archived: Displays the progression of the number of events being archived.
Total events archived: Displays the total number of archived events when archiving is finished.
Continue purge job: Displays when re-queued purge jobs run again.

User Guide
116
Create and maintain jobs

In addition to viewing the details about previously defined jobs, use the Purge and Archive page to define and
schedule new jobs, and edit, disable/enable or delete existing jobs.
CAUTION: Carefully review your current jobs before creating a new job or altering an existing job, as
it is possible to create purge and archive conflicts.
NOTE: If you have specific purge jobs that you want to complete before a scheduled archive, ensure that
you leave enough time between the purge only jobs and the archive job.
Before scheduling a job, ensure that you have reviewed the best practice information in Planning your jobs.
To schedule a purge and archive job:

1
Select Configuration | Purge and Archive.
Click Add to open the Purge and Archive wizard.
Enter a descriptive job name.
Select the data that you want to purge and/or archive. The default is to process events older than 90
days.
NOTE: Jobs created in previous versions will have the process time converted from
weeks/months/quarters/years to the appropriate number of days.
If required, select Purge and choose the records to be deleted from the production database.
All events: Select this option to purge all events from the database that are older than the specified
time.
Only selected events: Select this option to purge only selected events, based on specific criteria, from
the database that are older than the specified time.
Use the criteria tabs to define the events to be deleted:
What - purge events based on subsystem, event class, object class, severity or results.
See Purge selected records for a description of the criteria options.
NOTE: If you specify criteria on more than one tab, the criteria specified on ALL of the tabs must
be met before an event is deleted from the database or archived.
Select Archive events if you want to create an archive database. A yearly archive database will be
created beginning on the first day of the selected month. For example, if you select Jan, the database
will contain events for 12 months beginning on January 1.
If you have also selected to purge events based on specific criteria, any events that remain will be
moved to the archive database.
NOTE: A new archive database will be created for each year of events that you have in your
production database.
NOTE: This option is not available, if there is an existing archive job.
Click Next.
Select the job scheduling options to define when the events are to be deleted or archived.
10 Click the Finish button to save the job and exit the wizard.

User Guide
117
To edit a scheduled purge and archive job:

1
On the Purge and Archive page, select the job to be edited.
Click the Edit tool bar button to open the Purge and Archive wizard.
Modify the current settings as necessary.
Click the Finish button to save your selections and exit the wizard.
To disable a scheduled purge and archive job:

1
On the Purge and Archive page, select the job to be disabled.
Click the Disable right-click command.

When a job is disabled, that particular database cleanup job will not take place until it is re-enabled.
To enable a previously disabled job, select the job from the Purge and Archive page and click the Enable
right-click command.
To delete a scheduled purge and archive job:

1
On the Purge and Archive page, select one or more jobs from the list.
Click the Delete tool bar button or right-click command.
When prompted, confirm that you want to delete the scheduled jobs.
Purge and Archive wizard

The wizard opens when you click the Add button on the Purge and Archive page under Administration Tasks. Use
this wizard to define the records to be purged or archived, and the cleanup schedule.
NOTE: A red flashing icon indicates that you have not yet entered the required information. Hovering your
cursor over this icon displays a tool tip explaining what needs to be entered
Before scheduling a job, ensure that you have reviewed the best practice information in Planning your jobs.
Using the Purge and Archive wizard:

1
Begin by entering a descriptive name for the job.
Select the data that you want to purge and/or archive. The default is to process events older than 90
days.
NOTE: Jobs created in previous versions will have the process time converted from
weeks/months/quarters/years to the appropriate number of days.

User Guide
118
Select whether you want to purge, archive, or both. If you have specific purge jobs that you want to
complete before a scheduled archive, ensure that you leave enough time between the purge only jobs
and the archive job.
Option
Notes
Purge events
If you select to purge events, specify the options that determine which events will be
removed from the database.
All events: Select this option to purge all events from the database that are older
than the specified time.
Only selected events: Select this option to purge only selected events, based on
specific criteria, from the database that are older than the specified time.
Use the criteria tabs to define the events to be deleted:
What - purge events based on subsystem, event class, object class, severity or
results.
If you specify criteria on more than one tab, the criteria specified on ALL of the tabs
must be met before an event is deleted from the database or archived.
See Purge selected records for a description of the criteria tabs and options that
appear to specify the records.
Archive events When this option is selected, a yearly archive database will be created beginning on
the first day of the selected month. For example, if you select Jan, the database will
contain events for 12 months beginning on January 1.If you have also selected to
purge events based on specific criteria, any events that remain will be moved to the
archive database.
NOTE: A new archive database will be created for each year of events that you have
in your production database.
On initial run of archive or purge/archive job, an archive database will be created on
the same database server as your production Change Auditor database. The name of
the archive database is as follows: Production database name appended with
_Archive_ and the year of your oldest event and a selected month. Example:
ChangeAuditor_Archive_2014 _August
The *.mdf file will have the same name except that the date will be appended to the
end. Example: ChangeAuditor_Archive_2014__August20150310163244.mdf
If the archive database is moved or deleted a new archive database with the same
name will be created (the *.mdf will differ because a new date is appended) the next
time an archive or purge/archive job runs.
NOTE: If an archive database is deleted or moved before the end of an archived year,
then a new one will be created and will only contain events that were not previously
archived to the deleted or moved database.
NOTE: This option is not available, if there is an existing archive job.
4
Next, set the job schedule.

User Guide
119
Option
Description
Occurs
Specifies if the job is to be run on a weekly or monthly schedule.

The default is monthly.
NOTE: When Monthly is selected, specify the monthly schedule to be used to run
the job. For example, 1 for every month (default), 2 for every other month, 6 for
every six months or twice a year, etc.
Batch Limit
Specifies the maximum number of events to be purged for each cycle.

That is, the job task checks every five minutes to determine if it needs to run a
job. When the job runs, by default it purges a maximum of 500,000 events in that
five minute period. If there are more than 500,000 events to be purged, then five
minutes later another 500,000 events are processed until all of the events are
purged or archived.If there are 500,000 events or less in a job, then the job task
checks again in the next five minutes and obeys the next run time.
NOTE: If SQL is slow or disk space is low, decrease this limit to 100000 or 50000.
When this limit is decreased, the job will take longer to complete.
Every
When a Monthly schedule is selected, specifies on which day of the month the job
is to be run:
First (default)
Last
Day #
When a Weekly schedule is selected, specifies the weekly schedule to be used to

run the job. For example, 1 for every week, 2 for every other week, 3 for every
third week, and 4 for every fourth week.
On Days
When a Weekly schedule is selected, defines the days of the week when the job
is to be run.
The default is Monday through Friday.
Run Time
Defines the time of day when the job is to be performed.

The default start time is 12:00:00 AM.
NOTE: Based on the clients current local date and time. The format used to
display this date and time is determined by the local machines regional and
language setting.
Last Run
This read-only field specifies the last time (date and time) the job ran.
language setting.
Next Run
This read-only field specifies the next time (date and time) when the job is
scheduled to run.
language setting.
Select Finish.

User Guide
120
Purge selected records

Use the criteria tabs in the Purge and Archive wizard to define what specific records are to be deleted from the
database. These tabs are enabled when you choose the Purge | Only selected events option.
NOTE: If you specify criteria on more than one tab, the criteria specified on ALL of the tabs must be met
before an event is deleted from the database or archived.
Who tab
Use the Who tab when you want to purge or archive events generated by specific users, computers, or groups.
By default (when the Who tab is empty), change events generated by all users, computers, and groups will be
deleted from the database or archived.
When multiple who criteria is specified on this tab, Change Auditor uses the OR operator to evaluate change
events, purging or archiving events for activity performed by any of the users, computers or groups listed on
this tab.
To purge events generated by a specific user, computer or group:

1
From the Purge and Archive wizard, select the Purge option, and then enable Only selected events to
activate the criteria tabs.
Open the Who tab and click the Add tool bar button.
On the Select Active Directory Objects dialog, use the Browse or Search page to locate the user,
computer or group to be included. Once you have located a directory object, select it and click the Add
button to add it to the selection list at the bottom of the dialog.
Repeat this step to include each additional directory object.
After selecting one or more directory objects, click the Select button to save your selection and close
the dialog.
NOTE: Use the Add with Events tool bar button (instead of Add) to select users, computers, or
groups that already have an event associated with it in the database. Use this feature to purge
events tied to users who have been removed from Active Directory .
5
Change Auditor will now only purge or archive events generated by the user(s), computer(s) or group(s)
listed on the Who tab.
NOTE: To purge events NOT generated by the users, computers, or groups listed on the Who tab,
select the Exclude The Following Selection(s) check box at the top of the Who tab.
To use a wildcard expression to specify users or groups:

1
Open the Who tab and expand the Add tool bar button and click Add Wildcard Expression.
NOTE: If you used the Add With Events tool bar button instead, click the Add Wildcard Expression
button on the Add Users, Computer, or Groups dialog.
On the Add Who dialog, enter the wildcard expression to be used to search for users (domain\user name)
or groups (domain\group name).
Enter the pattern (character string and * wildcard character) to be used to search for a match.
Use the * wildcard character to match any string of zero or more characters.
By default, the wildcard expression will be used to search for users. To search for groups, select
the Group option.

User Guide
121
NOTE: When using the Group option, the Group Membership Expansion option on the
Coordinator Configuration page (on the Administration Tasks tab) must be set to Expand all
groups.
4
Click OK to close the dialog and add the wildcard expression to the Who tab.
Change Auditor will now search for and purge or archive change events generated by the users that are
members of the groups whose name matches the specified wildcard expression.
What tab
Use the What tab to specify the what criteria to be used to determine whether an event is to be purged from
the database. By default (when the What tab is empty), all events regardless of the subsystem, event class,
object class, severity, or results will be purged or archived.
When multiple what criteria is specified on this tab, Change Auditor uses the AND operator to evaluate an
event, purging only those events that meet all the specified criteria. However, when multiple subsystems (such
as Active Directory, ADAM, and Exchange) are specified, Change Auditor uses the OR operator to evaluate
these entities, purging or archiving events that meet any of the specified subsystem criteria. This also applies
when multiple event classes are specified. That is, when multiple event classes are specified, Change Auditor
uses the OR operator purging or archiving any of the specified events.
To purge events based on a specific entity:

1
Open the What tab, expand the Add tool bar button (or Add With Events tool bar button) and select the
appropriate option. When you select an option, an additional dialog appears allowing you to enter
specific criteria:
Subsystem | Active Directory - Add Active Directory Container dialog
Subsystem | AD Query - Add Active Directory Container dialog
Subsystem | ADAM (AD LDS) - Select the agent that hosts the ADAM/LDS Instance dialog
Subsystem | Exchange - Add Exchange Container dialog
Subsystem | Exchange Online - Exchange Online dialog
Subsystem | File System - Add File System Path dialog
Subsystem | Group Policy - Add Group Policy Container dialog
Subsystem | Local Account - Add Local Account dialog
Subsystem | Logon Activity - Add Logons dialog
Subsystem | Registry - Add Registry Key dialog
Subsystem | Service - Add Service dialog
Subsystem | SharePoint - Add SharePoint Path dialog
Subsystem | SonicWALL - Add SonicWALL dialog
Subsystem | SQL - Add SQL Instance dialog
Subsystem | VMware - Add VMware Host dialog
Event Class - Add Facilities or Event Classes dialog
Object Class - Add Object Classes dialog
Severity - Add Severities dialog
Result - Add Results dialog

User Guide
122
Once you have selected or entered the specific criteria, click the Add button to add it to the selection
list at the bottom of the dialog.
Change Auditor will now search for and purge or archive change events that match the criteria listed on
the What tab.
Where tab
Use the Where tab to purge events captured by specific agents, domains, or sites. By default (when the Where
tab is empty), events captured by all agents will be purged or archived.
When multiple where criteria is added to this tab, Change Auditor uses the OR operator to evaluate events,
purging or archiving events that were captured by any of the specified agents, domains or sites.
To purge events captured by a specific agent, domain or site:

1
Open the Where tab and click the Add tool bar button.
On the Choose the Agents, Domains or Sites to Include dialog, use the Browse or Search pages to locate
an individual agent, domain or site.
NOTE: You can also select the Grid View option to select an agent from a list rather than using the
Explorer View to locate it within your environment.
Once you have located an agent, domain or site, select it and click the Add button to add it to the
selection list at the bottom of the dialog.
Repeat this step to include each additional agent, domain or site.

NOTE: Use the Add With Events tool bar button (instead of Add) to select agents, domains, or
sites that already have an event associated with it in the database.
Change Auditor will now search for and purge or archive change events captured by the agents, domains,
or sites listed on the Where tab.
NOTE: To purge or archive events NOT captured by the agents, domains, or sites listed on the
Where tab, select the Exclude The Following Selection(s) check box at the top of the Where tab.
To use a wildcard expression to specify agents, domains, or sites:

1
Open the Where tab, expand the Add tool bar button and click Add Wildcard Expression.
NOTE: If you used the Add With Events tool bar button instead, click the Add Wildcard Expression
button on the Add Agents, Domains, Sites dialog.
On the Add Where dialog, enter the wildcard expression to be used to search for agents (NetBIOS name,
domains or sites.
By default, the wildcard expression will be used to search for agents. To search for domains or
sites, select the Domain or Site option.
Click OK to close the dialog and add the wildcard expression to the Where tab.
User Guide
123
Change Auditor will now search for and purge or archive change events captured by the agent(s),
domain(s) or site(s) whose name matches the specified wildcard expression.
Origin tab
Use the Origin tab to purge events originating from a specific workstation or server. By default, (when the Origin
tab is empty) events will be purged regardless of the workstation or server from which they originated.
When multiple origin criteria is specified on this tab, Change Auditor uses the OR operator to evaluate
events, purging or archiving events originating from any of the specified workstations or servers.
To purge events based on where they originated:

1
Open the Origin tab and click the Add tool bar button.
On the Add Origin dialog, enter the wildcard expression to be used to include workstations or servers,
based on their NetBIOS name or IP address:
Click OK to close the dialog and add the wildcard expression to the Origin tab.
Change Auditor will now search for and purge or archive change events originating from
workstations/servers whose machine name (NetBIOS name or IP address) matches the specified wildcard
expression.
NOTE: To purge or archive events NOT originating from the workstations or servers listed on the
Origin tab, select the Exclude The Following Selection(s) check box at the top of the Origin tab.
To select an originating workstation or server that has an event in the Change Auditor
database:
1
Open the Origin tab and click the Add With Events tool bar button.
The Add Origin dialog appears populated with originating workstations/servers that have an event
associated with it in the Change Auditor database.
NOTE: Use the Add Wildcard Expression button to enter a wildcard expression to include
workstations/servers from this list based on their NetBIOS name or IP address.
On the Add Origin dialog, select one or more originating workstations/servers from the list and click Add
to add it to the selection list at the bottom of the page.
Click OK to close the dialog and add the selected workstations to the Origin tab.
Change Auditor will now search for and purge or archive change events originating from the selected
workstations/servers.

User Guide
124
13
Disable Private Alerts and Reports
Introduction
Private Alerts and Reports page
Disable private alerts and reports
Introduction
Using the Private Alerts and Reports page on the Administration Tasks tab, administrators can disable alert
notifications and scheduled reports that were created under a users Private folder. This feature allows
administrators to clean up orphaned alerts and reports in all users private folders.
NOTE: Authorization to use the administration tasks on the Administration Tasks tab is defined using the
Application User Interface page. To disable private alerts/reports using the Private Alerts and Reports
page, you must be assigned to a role that contains the View Private Alerts and Reports, Disable Alert and
Disable Report operations. If you are denied access to the tasks on this page, refer to the Change Auditor
User Interface Authorization chapter.
This section provides a description of the disable private alert/report feature, including the Private Alerts and
Reports page and instructions on how to disable private alerts/reports from the Administration Tasks tab. For a
description of the dialogs mentioned in this chapter, refer to the online help.

The Private Alerts and Reports page is displayed when Private Alerts and Reports is selected from the
Configuration task list in the navigation pane of the Administration Tasks tab and displays a list of all private
search queries where alerting and/or reporting has been enabled and configured. From this page,
administrators with the proper permissions can disable valid alerts and reports from a users private folder.
For each private alert/report found, the following information is displayed:
Name
Displays the name assigned to the search query when it was created.
Folder
Displays the full folder path where the search query was saved.
Owner
Displays the name of the owner who created the private alert/report.
Alert
Indicates whether an alert has been enabled for the search query. Valid entries for this field are:
Enabled - which means that alerting is enabled for the search query and that at least one
transport method is enabled.
User Guide
125
Disabled - which means that the alert is disabled for the search query; however at least one
transport method is still enabled.
Report
Indicates whether reporting had been enabled for the search query. Valid entries for this field are:
Enabled - which means reporting is enabled for the search query and a report will be sent to the
specified recipient(s) as defined on the Report tab.
Disabled - which means previously enabled reporting has now been disabled for the search query.
Alert To
Displays the email address of any recipient(s) specified to receive an alert email notification (SMTP).
Alert Cc
Displays the email address of any carbon copy recipient(s) specified to receive an alert email
notification.
Alert Bcc
Displays the email address of any blind carbon copy recipient(s) specified to receive an alert email
notification.
Report To
Displays the email address of any recipient(s) specified to receive a report as defined on the Report tab.
Report Cc
Displays the email address of any carbon copy recipient(s) specified to receive a report email.
Report Bcc
Displays the email address of any blind carbon copy recipient(s) specified to receive a report email.
Disable private alerts and reports

To disable a private alert or report:
1
Select Private Alerts and Reports from the task list.
On the Private Alerts and Reports page use one of the following methods to disable a private
alert/report:
Select the alert/report to be disabled and click the appropriate tool bar button: Disable Alert or
Disable Report.
Select the alert/report to be disabled, right-click and select the appropriate option: Disable
Alert or Disable Report.
The disabled status also appears on the Searches page for the selected search query. The user can use
the commands on the Searches page to re-enable alerting/reporting for a private search query.

User Guide
126
14
Generate and Schedule Reports
Introduction
Schedule reports for email distribution
Launch Report Designer
Publish reports
Print or save a pages contents
Introduction
Presenting audited information in a professional, concise and effective way is clearly as critical as gathering it
in the first place. The new scheduled reporting feature uses the same SMTP configuration defined for alerting to
distribute search query reports via email. In addition to email reporting, you can publish Change Auditor reports
to Microsoft SQL Server Reporting Services (SRS) or to the Dell Knowledge Portal which extends Microsoft
SQL Server Reporting Services to provide easy report management and delivery.
Change Auditors reporting features allow organizations to granularly discern which business units see which
types of data and also to set custom criteria for the types of information shared in the report. For example,
Administrators could pull reports highlighting how many times a particular event or category of events occurred
in the last 30 days or provide a more detailed accounting to articulate who made the changes, how many times,
and the before and after values associated with those changes. Whether for operations insight or security
reporting for management, Change Auditor provides reports that streamline reporting to meet any requirement.
This section provides a description of the reporting feature and instructions on how to generate reports using
the Change Auditor client, publish reports to Dell Knowledge Portal, and print or save the contents of the active
page. It also provides a description of the Report Layouts page and Report tab, which are used to define the
layout and distribution of a report. For a description of the dialogs mentioned in this chapter, refer to the online
help.
Schedule reports for email distribution

To enable, design and schedule email reports, use the following Change Auditor client components:
Report Layouts page (Administration Tasks tab) to create global templates that define the header and
footer information for reports. See Create global report template.
Layout tab (Search Properties tabs) to specify the data (columns) to be retrieved from the database and
displayed for the selected search. In addition, you can specify the column order, sort criteria and order,
and data grouping to be used for displaying the retrieved data. The settings on this tab are also used to
display the search results in the client. See Define report content and layout.
Report tab (Search Properties tabs) to enable reporting for a selected search query, specify the global
template to be used or choose to design a custom report using the report designer, and schedule the
distribution of the report. See Enable and schedule reporting.

User Guide
127
Create global report template

The report templates defined on the Report Layouts page on the Administration Tasks tab define the header and
footer information to be included in a Change Auditor search results report. You can use the default report
template supplied or use the Report Layouts page to create custom report templates for your company.
NOTE: Use the report templates on the Administration Tasks tab to define the header and footer
information for a Change Auditor search results report. If you want to design a custom report layout for an
individual search, including content and data layout, click the Design Report tool bar button on the
Report tab (Search Properties tab) to launch the Report Designer.
Report Layouts page (Administration Tasks tab)

The Report Layouts page is displayed when Report Layouts is selected from the Configuration task list in the
navigation pane of the Administration Tasks tab. From this page you can add, edit or delete global report
templates.
The Report Layouts page contains a list of all the report templates that have been previously defined. Initially,
this list contains the Default template, which will be used for all search results reports unless changed on the
Report tab of a searchs Search Properties tabs.
To add a global report template:

1
Select Report Layouts in the Configuration task list to open the Report Layouts page.
Click the Add tool bar button to display the New Report Layout dialog. Enter a descriptive name for the
new report template and click OK.
The report designer appears.
Use the controls in the tool bar to the left of the report grid to define the header and/or footer
information to be included. For example:

User Guide
128
To add a page header, click the Page Header button

. Click on the report grid and the header
pane will be added to the top of the page. Use the arrow controls or Height setting in the
Properties pane to resize the header pane.
To add the report title to the page header pane, click the Text button
. Move the pencil cursor
in the heading pane where you want to place the report title and click. Open the System Variable
tab in the Text Editor, locate the ReportName variable. Double-click the variable to add it to the
text pane. Click OK to save your selection and close the Text Editor.
Back on the report grid, you can resize the {ReportName} text box to prevent the report titles
from being truncated. You can also use the settings in the Properties pane to modify the font,
size, color, etc.
To add a page footer (e.g., page number), click the Page Footer button
. Click on the report
grid and the page footer pane will be added to the bottom of the page. Use the arrow controls or
Height setting in the Properties pane to resize the footer pane.
To add the page number to the page footer pane, click the Text button. Move the pencil cursor in
the footer pane where you want to place the page number and click. Open the System Variables
tab in the Text Editor, locate the page number variable to be used (for example, PageNofM).
Double-click the variable to add it to the text pane. Click OK to save your selection and close the
Text Editor.
NOTE: This is an example of how to use the report designer to add a simple header and footer.
However, there are many more capabilities with the new report designer which uses
StimulReport.Net components. For a detailed description and functionality of each component
available for designing reports, click F1 to view the Stimulsoft online help (www.stimulsoft.com).
The new report template is added to the Report Layouts page (Administration Tasks tab) and is also now
available in the Layout drop-down menu on the Report tab (Search Properties tabs).
Define report content and layout

For each search, built-in or custom, the data displayed in both the client and in the associated report (when
reporting is enabled) is pre-defined. However, you can use the Layout tab of the Search Properties tabs to
customize the content (columns) to be displayed for each individual search. See Layout tab in the Custom
Searches and Search Properties chapter for a detailed description of the Layout tab.
Enable and schedule reporting

When reporting is enabled, a report containing the search results of an individual search, built-in or custom, is
sent as an attachment via email to the designated recipients. Use the Report tab, which is one of the Search
Properties tabs, to enable reporting for the selected search, define the format to be used as well as define who
and when the report is to be sent.
NOTE: In order to send reports via email, you must first enable SMTP for alerting/reporting and specify
the mail server to be used in the SMTP Configuration pane on the Coordinator Configuration page. The
same SMTP configuration is used for both alert notifications and reporting. See SMTP Configuration pane
for more information.
Report tab (Search Properties tabs)

The Report tab displays the current report configuration for the selected search definition. From the Report tab
you can perform the following tasks:
enable/disable reporting for the current search
specify the format to be used for the report attachment (PDF, Html, Word, Text, Excel, CSV)
select the recipients who are to receive the report via email
User Guide
129
define a schedule for sending the report
select the template to be used for the reports headers and footers or design a custom report layout
using the report designer
Use the controls on the Report tab as described below.

Table 24. Report tab: Field/Control descriptions
Field/Control
Description
Report Enabled
Select the Report Enabled check box to enable reporting for the current search
definition.
NOTE: This option becomes available only after a valid email address is entered
in the To field in the Report Configuration section of this tab.
Report Configuration
Layout
Specifies what report template is to be used for the reports headers and
footers.
The Default report template has been defined for you. To define additional
report templates, use the Report Layouts page on the Administration Tasks tab.
NOTE: This setting is disabled if you click the Design Report tool bar button to
define a custom report layout for the selected search.
Report
Specifies if the report is to be generated/sent on a weekly (default) or monthly

schedule.
NOTE: When Monthly is selected, specify the monthly schedule to be used to
generate the report. For example, 1 for every month (default), 2 for every other
month, 6 for every six months or twice a year, etc.
Every
When a Weekly report is selected, specifies the weekly schedule to be used to

generate the report. For example, 1 for every week (default), 2 for every other
week, 3 for every third week, and 4 for every fourth week.
On Days
When a Weekly report is selected, defines the days of the week when the report
is to be generated. The default is Monday through Friday.
On Day of Month
When a Monthly report is selected, specifies on which day of month the report is
to be generated:
First (default)
Last
Day #
Run Time
Specifies the time at which the report is to be generated.
Reset
Use the Reset button to reset the settings back to the factory defaults.

User Guide
130
Table 24. Report tab: Field/Control descriptions

Field/Control
Description
To
Enter the email address of the person(s) who are to receive the report.
You can also use the browse button
to locate and select the user(s) who are
to receive the report. Selecting this button displays one of the following dialogs:
The Select Active Directory Objects dialog (directory object picker)
where you can use the Browse or Search page to locate Active Directory
user(s). This dialog is displayed when no Exchange host is specified in the
SMTP Configuration pane of the Coordinator Configuration page.
The Search Users dialog allowing you to locate and select an Exchange
user (Exchange tab) or an Active Directory user (Active Directory tab).
This dialog is displayed when an Exchange host is defined in the SMTP
Click the Expand Properties button (right arrow) to the left of the To field to
enter additional recipients and/or change the subject. When expanded, you can
enter the following information:
To: Enter or use the browse button to specify the email address of users
who are to receive the report.
Reply: Enter or use the browse button to specify the email address to
which reply emails are to be sent.
Cc: Enter or use the browse button to specify the email address of users
who are to receive a copy of the report email.
Bcc: Enter or use the browse button to specify the email address of users
who are to receive a blind copy of the report email.
Click the Collapse Properties button (down arrow) to hide these additional
properties and show the other settings available on the Report Configuration
pane.
NOTE: You can enter an individual email address or distribution list in any of the
email address fields. Separate multiple email addresses with a semi-colon.
Attach
Columns
The report is sent as an email attachment. Select the appropriate Attach option
to define the format to be used for the report:
PDF (default)
Html
Word
Text
Excel
CSV
Defines how the report content is to fill the page:
Fit to Page (default)
Fixed Width nn.nn Inches/Column
NOTE: These settings are disabled if you click the Design Report tool bar button
to define a custom report layout for the selected search.
Time Zone
Specifies the time zone to be used for the reports time stamp in the report
email. By default, the time zone of the machine where the Change Auditor client
resides will be used.
Last Run
This read-only field specifies the last time (date and time) the report ran.
Next Run
This read-only field specifies the next time (date and time) when the report is
scheduled to run.

User Guide
131
To enable/schedule reporting:
NOTE: In order to distribute reports through email (SMTP) you must first enable email notifications on the
Coordinator Configuration page of the Administration Tasks tab. See Configure email alert
notifications/reports.
1
Expand the Private or Shared folders in the explorer view to locate the search to which reporting is to
be enabled. Select the search from the Search list in the right pane.
Open the Report tab and enter a valid email address in the To field and then select the Report Enabled
check box.
Specify the report configuration settings:
Layout: Select the report template to be used.
Report: Specify when the report is to be generated/sent (i.e., on a weekly or monthly schedule).
Run Time: Specify the time (based on the clients current local date and time) at which the report
is to be run.
Attach: Select the report format to be used.
Columns: Define how the report content is to fill the page.
Time Zone: Select the time zone to be used for the reports time stamp in the report email.
NOTE: See Table 24 for a detailed description of the report configuration settings.
Click the Save tool bar button.

When reporting is enabled, the following details are added to the search entry in the Searches list:
Report column displays Enabled
Report To, Report Cc and Report Bcc columns display the email address of specified recipients.
To disable a scheduled report:

1
Expand the Private or Shared folders in the explorer view to locate the search whose reporting is to be
disabled. Select the search from the Search list in the right pane.
Use one of the following methods to disable reporting for the selected search:
Right-click the search and select Report | Disable Report.
Open the Report tab and clear the Report Enabled check box. Click the Save tool bar button.
Launch Report Designer

The report designer in Change Auditor uses StimulReport.Net components for designing reports. For a detailed
description and functionality of each component available, click F1 to view the Stimulsoft online help
(www.stimulsoft.com).
To launch the report designer:

1
Open the Searches page, locate and select a search definition.
Open the Report tab for the selected search and click the Design Report tool bar button.
The report designer appears allowing you to create a custom report layout for the selected search.

User Guide
132
NOTE: Once the report designer is launched, the Layout and Columns settings on the Report tab
for the selected search are disabled. To re-enable these settings, click the Reset button at the
bottom of the Report tab.
Publish reports
ChangeAuditor supports Microsoft's Microsoft SQL Server Reporting Services (SRS), providing a
comprehensive, server-based solution that enables the creation, management and delivery of both traditional,
paper and interactive web-based reports. In this implementation, administrators no longer need to traverse the
various auditing solutions to create the desired reports. Instead they can interact with a web-based reporting
portal and simply subscribe to the reports they want to see.
You can also publish Change Auditor reports to the Dell Knowledge Portal which extends Microsoft SQL Server
Reporting Services to provide easy report management and delivery.
NOTE: If you publish to SRS, reports are only available within the SRS reports website. Users will not be
able to access them through the Dell Knowledge portal. However, if you publish to the Dell Knowledge
Portal, reports will be available in both the SRS reports website and the Dell Knowledge Portal site.
Publishing reports to the Dell Knowledge Portal

Prerequisites
Download the Dell Knowledge Portal from here: http://software.dell.com/products/knowledge-portal/
Install the Dell Knowledge portal.
Create the required QKP directory and a subdirectory under it called SharedDataSources.
NOTE: This is only required if this is the first time that you have installed the Dell Knowledge
Portal. If you have used it with any other Dell products, these directories will already have been
created.
To install the Dell Knowledge portal:

NOTE: The Knowledge Portal can be installed either on the computer where SSRS is running or on a
dedicated computer.
1
Run the Dell Knowledge Portal Setup.
Accept the license agreement and click Next.
Specify your full name and organization and click Next.
Specify the installation folder and make sure to select the Dell Knowledge Portal.
A requirements check is run to ensure your system conforms to the system requirements. If everything
passes, select Proceed to Installation Wizard. If not, refer to the Dell Knowledge Portal documentation
for the list of minimum system requirements.
Specify the site and virtual directory where to install the Knowledge Portal and click Next.
Specify the SQL Reporting Services server URL where the Dell Knowledge Portal will be installed and click
Next.
IMPORTANT: This URL (Http://SQLServerName/Reports) will be used to create the required
directories.
Specify the default user name and password that will be used for:
Connecting to the SQL Server hosting the product databases

User Guide
133
Searching for accounts in Active Directory when granting access rights to report users
NOTE: This user account should be granted the Log on as a service right on Windows 2003based computers where the Dell Knowledge Portal is installed.
Dell has a Software Improvement Program to help identify and improve the features you use most. Select
the country where you are installing the Dell Knowledge Portal and click Next.
10 Click Next and wait for the installation to complete.

To create the required directories
1
Open the SRS Reports URL entered during the installation (Http://SQLServerName/Reports).
Click New Folder and create a directory called QKP.
Open the QKP directory and create a new folder called SharedDataResources.
You can now browse open the knowledge portal site (Http://servername/DellKnowledgePortal). The
page will be empty until you publish a report.
To publish Change Auditor reports to the Dell Knowledge Portal:

1
Expand the Private and Shared folders and select a folder in the explorer view to display the list of
search/report definitions stored in the selected folder.
From the right-hand pane, right-click a search/report definition and select Publish to Dell
Knowledge Portal. The Knowledge Portal Setup dialog appears allowing you to configure the SQL
Server Reporting services to be used and specify the report details. (To publish a series of reports
(folder), select a folder in the explorer view.)
If not already configured, select the Configure button to specify the reporting services and Change
Auditor shared data source to be used.
Enter the URL of the SRS server that is to host the ChangeAuditor reports For example:
http://<SQL_Server>/<ReportServer>
Where: <SQL_Server> is the name of the server hosting SRS and <ReportServer> is the name of the
report server virtual directory. (In a default Reporting Services installation, the name of the
virtual directory is reportserver.)
NOTE: Instead of entering the report server URL, you can click the Browse Knowledge
Portal Servers button to select a Change Auditor agent that has Dell Knowledge Portal
installed. Selecting an agent from the Eligible Change Auditor Agents dialog populates the
report server URL.
Enter the user account, credentials and domain for a Windows

copy files to SRS.
account that has permissions to
NOTE: This Windows account requires rights to create SRS reports and data sources on the
server (a.k.a. Content Manager).
Enter the user account and credentials to be used to access the Change Auditor database (data
source).
Click the Test button to verify the credentials entered above.
Once you have entered the requested information, Change Auditor will publish the reports to the
specified server, which will then be available through Dell Knowledge Portal.
Publishing reports to SRS

To publish Change Auditor reports to a SRS server:
1

User Guide
134
Expand the Private and Shared folders and select a folder in the explorer view to display the list of
search/report definitions stored in the selected folder.
From the right-hand pane, right-click a search/report definition and select Publish reports using SQL
Reporting Services. This will display the Create Report dialog allowing you to configure the SQL Server
Reporting services to be used and to specify the report details. (To publish a series of reports (folder),
select a folder in the explorer view.)
If not already configured, select the Configure button to specify the reporting services and Change
Auditor shared data source to be used.
Enter the URL of the SRS server that is to host the ChangeAuditor reports For example:
http://<SQL_Server>/<ReportServer>
Where: <SQL_Server> is the name of the server hosting SRS and <ReportServer> is the name of the
NOTE: You can use the Import SRS Settings button on the Reporting Services Setup dialog to
import a SQL Reporting Services template that was previously created to define the
necessary SRS settings or enter the SRS settings as defined below.
Enter the user account, credentials and domain for a Windows

copy files to SRS.
account that has permissions to
source).
Click the Test button to verify the credentials entered above.
Once you have entered the requested information, Change Auditor will publish the reports to the
specified server, which will then be available through SQL Server Reporting Services.
Print or save a pages contents

From the Change Auditor client you can print or save the contents of the currently displayed page using the File
| Print menu commands or the Print tool bar options. For each Change Auditor page, the data grid as it is
displayed on the page is printed, except for the following pages:
Searches page - The search properties specified for the selected search are printed. You must select a
search from the searches list in the right page to enable the print options.
Search Results page - The data grid, pie chart or bar graph as it is displayed on this page is printed.
Coordinator Configuration page - The settings specified in the SMTP Configuration, Group Membership
Expansion and Agent Heartbeat Check panes are printed.
AD Attributes Auditing page - The attributes selected for auditing are printed.
ADAM (AD LDS) Attributes Auditing page - The attributes selected for auditing are printed.
Application User Interface page - Printing is not available for this page.
To print a page:
1
Open the page to be printed and click the Print tool bar button.
On the native Print dialog, specify your print options and the printer to be used.
NOTE: You may want to use the Print | Page Setup option in the Change Auditor client or
Preferences button on the Print dialog to change the page orientation to Landscape and decrease
the page margins prior to printing the pages that contain grids.

User Guide
135
Click Print to close the dialog and send the displayed page to the designated printer.
To preview a report prior to printing:

1
Open the page to be printed, expand the Print tool bar button and select Print Preview.
Use the controls at the top of the preview screen to print the report, display multiple or selected pages,
zoom and close the preview screen.
To save a page to a file:

1
Open the page to be saved to a file, expand the Print tool bar button and select one of the following
commands:
Print to File
Print to PDF
The native Save As dialog appears allowing you to specify the file name and location. Also if you clicked
the Print to File command, you can specify the type of file to be saved (.xls, .xlsx or .csv).

User Guide
136
15
SQL Reporting Services Configuration
Introduction
SQL Reporting Services Page
SQL Reporting Services Templates
SQL Reporting Services Wizard
Introduction
Change Auditor allows you to define SQL Reporting Services (SRS) templates that define all the necessary Report
Server information (URL and credentials) and Change Auditor data source information for publishing reports.
These templates can then be made available to users who choose to publish Change Auditor reports to SRS. That
is, when an authorized user attempts to publish a Change Auditor report to SRS using the Publish reports to SQL
Reporting Services right-click command on the Searches page, they can use the Import SRS Settings button on
the Reporting Services Setup dialog to import the settings defined in a SQL Reporting Services template to
publish their reports.
This section provides instructions for creating SQL Reporting Services templates, as well as a description of the
SQL Reporting Services page and SQL Reporting Services wizard. For a description of the other dialogs
mentioned in this chapter, refer to the online help.
SQL Reporting Services Page

The SQL Reporting Services page is displayed when SQL Reporting Services in the Configuration task list is
selected in the navigation pane of the Administration Tasks tab. From this page you can launch the SQL
Reporting Services wizard to define the reporting services and data source information needed to publish
reports to SRS. You can also edit existing templates, disable/enable templates and remove templates that are
no longer being used.
The SQL Reporting Services page contains an expandable view of all the SQL Reporting Services templates that
have been previously defined. To add a new template to this list, use the Add tool bar button. Once added, the
following information is provided for each template:
Template
Displays the name assigned to the template when it was created.
Status
Indicates whether the template is enabled or disabled.
URL
This field is used for filtering data.
Authorized Accounts
User Guide
137
Click the expansion box to the left of the Template name to expand this view and display the following details:
NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter
characters into these cells, the client will redisplay the templates that meet the search criteria (i.e.,
comparison operator and characters entered).
URL
Displays the Report Server URL specified in the wizard.
Database
Displays the Data Source name of the database as specified in the wizard.
Authorized Account
Displays the accounts that are authorized to use this SQL Reporting Services template.
SQL Reporting Services Templates

To create a SQL Reporting Services template:
1
Select the Configuration task button at the bottom of the navigation pane (left-hand pane).
Select SQL Reporting Services in the Configuration task list to open the SQL Reporting Services page.
Use the Add tool bar button to launch the SQL Reporting Services wizard to define the report server and
data source information.
On the first page of the wizard:
Enter a name for the template.
Enter the URL of the SRS server that is to host the Change Auditor reports
For example: http://<SQL_Server>/<ReportServer>
where: <SQL_Server> is the name of the server hosting SRS and <ReportServer> is the name of the
Enter the user account, credentials and domain for a Windows account the has permissions to
copy files to SRS.
source).
Use the Test button to verify the credentials entered above.
On the second page of the wizard, select the user or group accounts that are authorized to use this
template to publish Change Auditor reports to SRS.
NOTE: The user and group accounts entered on this page are the ONLY accounts that are allowed
to import the settings in this template to publish Change Auditor reports to SRS. For example, the
first time an authorized user selects the Import SRS Settings button on the Reporting Services
Setup dialog, the Change Auditor Administrators will not be able to import the settings in this
template to publish reports to SRS unless they are also added as an authorized account on this
page.
Use the Browse or Search pages to locate and select the accounts to be included in the template. Use
the Add button to add these accounts to the list box at the bottom of the page.
User Guide
138
Select Finish to create the template and return to the SQL Reporting Services page.
Now when an authorized user attempts to publish a Change Auditor report to SRS using the Publish reports to
SQL Reporting Services right-click command on the Searches page, they can use the Import SRS Settings
button on the Reporting Services Setup dialog to import the settings defined in this template to publish their
reports.
To modify a template:
1
On the SQL Reporting Services page, select the template to be modified and select the Edit tool bar
button or right-click command.
This will display the SQL Reporting Services wizard, where you can modify the report server and data
source settings and authorized accounts included in the template.
Select the Finish button.
To disable a template:
The disable feature allows you to temporarily disable the use of a template without having to remove it from
Change Auditor.
1
On the SQL Reporting Services page, use one of the following methods to disable a template:
Click in the Status cell for the template to be disabled and select Disabled
Right-click the template to be disabled and select Disable
The entry in the Status column for the template will change to Disabled.
2
To re-enable a template, use the Enable option in either the Status cell or right-click menu.
To delete a template:
1
On the SQL Reporting Services Auditing page, use one of the following methods to delete a template:
Select the template to be deleted and use the Delete | Delete Template tool bar button
Right-click the template to be deleted and select Delete
A dialog will be displayed confirming that you want to delete the selected template. Select Yes.
SQL Reporting Services Wizard

The SQL Reporting Services wizard is displayed when you select the Add tool bar button on the SQL Reporting
Services page. Using this wizard you can define the reporting services and data source information to be
included in the template, as well the user and group accounts authorized to use this template to publish reports
to SRS.
The following table provides a description of the fields and controls in the SQL Reporting Services wizard.
NOTE: A red flashing icon indicates that you have not yet entered the required information. A green check
mark indicates that the required information has been specified and you are ready to proceed.
Table 25. SQL Reporting Services wizard
Create or modify a SQL Reporting Services Template page: Use this page to enter a name for the template
and credentials to be used to access the SQL Reporting Services server and Change Auditor shared data source.
Template Name
Enter a descriptive name for the SQL Reporting Services template being
created.

User Guide
139

SQL Server Reporting Services
NOTE: SQL Reporting Services must be configured with anonymous access disabled.
NOTE: The account entered in this section requires rights to create SRS reports and data sources on the server
(a.k.a. Content Manager).
Report Server URL
Enter the URL for the SQL Reporting Services (SRS) server that will be hosting
the Change Auditor reports.
For example: http://<SQL_Server>/<ReportServer>
where <SQL_Server> is the name of the server hosting SRS and <ReportServer>
is the name of the report server virtual directory.
User
Enter a user name for a Windows account that has credentials to copy files to a
SQL Reporting Service.
Password
Enter the password associated with the user name entered above.
Domain
Enter the domain for the Windows account to be used to access SRS.
Change Auditor Shared Data Source

NOTE: The account specified in this section is used to create and read data from the Change Auditor data
source.
Data Source Name
Enter the name of the Change Auditor data source.
Authentication
Select the appropriate authentication method for connecting to the Change

Auditor data source:
User
Windows Authentication - Select this option to use Windows

authentication for connecting to the Change Auditor data source.
SQL Server Authentication - Select this option to use SQL Server

authentication for connecting to the Change Auditor data source.
Enter a user name for the account to be used to access the Change Auditor
data source.
Password
Enter the password associated with the user name entered above.
Domain
Enter the domain for the user account to be used to access the Change Auditor
data source. This only applies to Windows Authentication.
Test
Use the Test button at the bottom of the dialog to verify the credentials
entered in the SQL Server Reporting Services section at the top of the dialog.
Select Accounts Authorized to Use This SQL Reporting Services Service Template page
When you enter a user or group account on this page, you are defining which users/groups are allowed to use
this template to publish Change Auditor reports to SRS. That is, only users who are listed on this page (or users
in any groups listed on this page) will be able to use the Import SRS Settings button on the Reporting Services
Setup dialog to select this SRS template.
Browse Page
Displays a hierarchical view of the containers in your environment allowing you

to locate and select the user or group account(s) to be included in this
template.
Once you have selected an account, use the Add button to add it to the list box
at the bottom of the page.
Search Page
Use the controls at the top of the Search page to search your environment to
locate the desired user or group account.
Once you have selected an account, use the Add button to add it to the list box
at the bottom of the page.
Options Page
Use the Options page to modify the search options or global catalog used to
retrieve directory objects.

User Guide
140

Account List
The list box located across the bottom of this page, displays the accounts that
are authorized to import the SRS settings in this template to publish Change
Auditor reports to SRS. Use the buttons located above this list box to add and
remove objects.
Select a user or group in the Browse or Search page and select the Add button
to add it to the list.
Select an entry from the list and then select the Remove button to remove it.

User Guide
141
16
Change Auditor User Interface
Authorization
Introduction
Application User Interface Authorization page
Add task definition
Add role definition
Add application group
Introduction
Role-based access control allows you to assign users/groups to roles based on their job functions and grant
these roles permissions to perform related tasks. Role-based access control can be broken down into the
following entities that are used to define who can do what:
Operation: a single action that users need to be granted rights to perform
Task: a collection of logically related operations
Role: a logical group of users and the tasks they are allowed to perform
Authorization for using the different features of the Change Auditor client is defined using the Application User
Interface Authorization page. From this page on the Administration tab, you can add new task and role
definitions or delete user-defined roles and tasks that are no longer being used.
By default, the following roles and tasks are defined; therefore, no action is required on your part to start using
the Change Auditor client:
and Group Policy protection in Change Auditor
AD Protection Role - has access to view Active Directory
Administrator Role - has full administrator privileges with access to all aspects of the Change Auditor
Client, Change Auditor Web Client and deployment of Change Auditor agents
Operator Role - has only operator privileges with limited access to the Change Auditor client (e.g. these
users can define and run searches, but they cannot access the Administration, Statistics or Deployment
pages) and access to perform all tasks except the administration functions in the Change Auditor web
client
Web Client Shared Overviews Role - has view access to the Change Auditor web client shared overviews;
while restricting access to only what has been shared
AD Protection Task - grants access to Active Directory and Group Policy protection tasks
Administrator Task - grants full administrator access
Operator Task - grants operator access only
Web Client Shared Overviews Task - grants view access to web clients shared overviews
During the Change Auditor installation, you added user accounts to the Change Auditor security groups
(ChangeAuditor Administrators - <InstallationName> and ChangeAuditor Operators - <InstallationName>). These
security groups are automatically added as members of the appropriate role (Administrator Role and Operator
Role). If applicable, during the Change Auditor web client installation, you may have also added user accounts
User Guide
142
to the ChangeAuditor Web Shared Overview Users security group. This additional security group is added as a
member to the Web Client Shared Overviews role.
NOTE: The Administrator, Operator and Web Client Shared Overviews roles and tasks cannot be removed,
renamed or edited.
In addition, using the AD Protection role and task, Change Auditor administrators can specify who is authorized
to view protection definitions for Active Directory and Group Policy objects. Refer to the Dell Change Auditor
for Active Directory User Guide for more information on restricting access to specific domains and
organizational units.
This section provides a description of the Application User Interface Authorization page. It also provides
instructions for adding task definitions, role definitions and application groups to define who can use the
different features available in the Change Auditor client. For a description of the other dialogs mentioned in
this chapter, refer to the online help.
Application User Interface Authorization

page
The Application User Interface Authorization page is displayed when Application User Interface is selected
from the Configuration task list in the navigation pane of the Administration Tasks tab.
From this page, you can define who is authorized to perform the different operations available in the Change
Auditor client, including performing the administrative tasks listed on the Administration Tasks tab and defining
search criteria.
The Application User Interface Authorization page contains an expandable view of the role and task definitions
which define role-based access. To add a role or task, use the appropriate Add tool bar command: Add | Add
Role Definition or Add | Add Task Definition.

User Guide
143
Once added, the following information is provided for each definition:
Name
Displays the name assigned to the role or task definition when it was created.
Type
Indicates the type of definition:
Role
Task
Description
Displays the description entered when the role or task definition was created.
Click the expansion box to the left of a Role Definition to expand this view and display the following details:
Member
Displays the user and group accounts that are assigned as members of the selected role.
Type
Indicates the type of account in the selected role:
Group
User
Application Group
Description
Displays the description from the Members tab of the Authorization Role dialog when the role was
created.
characters into these cells, the client will redisplay the roles or tasks that meet the search criteria (i.e.,
comparison operator and characters entered). For more details about using the data filtering function
provided throughout the Change Auditor client, see Filter data.
Add task definition

A task is a collection of operations and sometimes lower-level tasks that can be performed.
1
Select Application User Interface in the Configuration task list to open the Application User Interface
Authorization page.
Expand the Add tool bar button and click the Add Task Definition command.
On the Task page of the Authorizations: Task dialog, enter the following information:
Name: Enter a name for the task
Description: Enter a brief description of the task
Open the Definition tab and add the operations and lower-level tasks that can be performed:
To add a lower-level task, click the Add Task button and select a task from the Authorizations:
Task Definitions dialog.
User Guide
144
To add an operation, click the Add Operation button and select one or more operations from the
Authorizations: Operations dialog.
Click the OK button to save your new task definition and close the Authorizations: Task dialog.
This task will now be included in the task list on the Authorizations: Task Definitions dialog and can be
included in a role definition.
Task definitions are also listed on the Application User Interface Authorization page.
Add role definition

A role definition defines who is authorized to perform specific tasks and/or individual operations in the Change
Auditor client. A role usually corresponds to a job function or responsibility and consists of a collection of tasks
that a user must be authorized to perform to do their job function.
1
Open the Application User Interface Authorization page.
Click the Add tool bar button or expand the Add button and click Add Role Definition.
On the Authorizations: Role dialog, enter the following on the Role tab:
Name: Enter a name for the role
Description: Enter a brief description of the role
Open the Definition tab to add a role, task or operation to this role:
To add a role, click the Add Role button and select a role from the Authorizations: Role
Definitions dialog.
To add a task, click the Add Task button and select a task from the Authorizations: Task
Definitions dialog.
To add an operation, click the Add Operation button and select one or more operations from the
Authorizations: Operations dialog.
Open the Members tab to add a user, group or application group to this role.
To add an application group, click the Add Application Group button and select an application
group from the Authorizations: Application Groups dialog.
To add a user or group, click the Add User or Group button, which will display the Select one or
more Directory Objects dialog. Use the Browse page or Search page to locate and select the user
and/or group account(s) to be added.
NOTE: If a user or group account is added to multiple access roles, the account will have the
authority to perform the operations defined in the more authoritative role.
Click the OK button to save your new role definition and close the Authorizations: Role dialog.
Role definitions are displayed on the Application User Interface Authorization page.

User Guide
145
Add application group

Application groups allow you an alternate way of assigning users to roles. An application group is a feature of
Windows
Authorization Manager (AzMan) where you can define a group of users without having to go through
your domain administrator to add a new group to Active Directory .

1
Open the Application User Interface Authorization page.
Expand the Add tool bar button and click Add Application Group.
On the Group tab of the Authorizations: Application Group dialog, enter the following information:
Name: Enter a name for the application group
Description: Enter a brief description for the application group
Select one of the following methods which is to be used to define a group of users:
Basic (default)
LDAP Query
NOTE: Basic groups are a lot like Active Directory groups; however you can define both included
and excluded members. LDAP query groups allow you to define an LDAP query to dynamically
create a group of users who are similar. Refer to the Windows Authorization Manager
documentation for more information on basic and LDAP query groups.
Open the Members tab and add the users and groups that are to be members of this application group.
To add a user or group, click the Add User or Group button, which will display the Select Active
Directory Objects dialog. Use the Browse page or Search page to locate and select the user(s)
and/or group(s) to be added.
Optionally, open the Non-Members tab and add the users and groups that are to be excluded from this
application group.
To add a user or group, click the Add User or Group button, which will display the Select Active
Directory Objects dialog. Use the Browse page or Search page to locate and select the user(s)
and/or group(s) to be added.
Click the OK button to save your new role definition and close the Authorizations: Role dialog.
When the selected member(s) now try to define Active Directory protection they will be restricted to
defining protection for the selected domain or organizational unit.

User Guide
146
17
Enable/Disable Event Auditing
Introduction
Audit Events page
Enable/disable event auditing
Modify events severity level or event class description
Define events to be captured based on results
View event information
Introduction
Change Auditor provides in-depth, real-time auditing for key Active Directory configuration changes. Change
Auditor allows you to enable/disable the auditing of individual events so that Change Auditor is auditing only
those events that are vital to your organizations operation. In addition, Change Auditor allows you to modify
the severity level (high, medium, or low) and description assigned to each event. The severity level is used by
Change Auditor when processing events and to help you in determining the potential level of risk associated
with each configuration change event.
This section provides a description of the Audit Event page (Administration Tasks tab) which is used to
enable/disable event auditing and modify an events severity level or description. In addition, it provides
information on how to set up Change Auditor to capture events based on the results of the operation performed
in the event.
Audit Events page

The Audit Events page is displayed when Audit Events is selected from the Auditing task list in the navigation
pane of the Administration Tasks tab, and lists all of the events available for auditing by Change Auditor. It also
displays the facility to which the event belongs, the severity assigned to each event, if the event is enabled or
disabled and the type of Change Auditor license that is required.
NOTE: Changes made on this page are global and will apply to ALL Change Auditor agents.
The Audit Events page contains an alphabetical list of all the Change Auditor events, including the following
information:

User Guide
147
Table 26. Audit Events page: Field descriptions

Column
Description
Severity
Indicates the severity level assigned to each event:
Low
Medium
High
When your cursor is placed in this cell, a drop-down arrow is added allowing you to
change an events severity setting.
Facility Name
Displays the name of the facility to which each event belongs.
Event Class
Displays a descriptive title for each event.
Status
Indicates whether the event is enabled or disabled.

When your cursor is placed in this cell, a drop-down arrow is added allowing you to
either enable or disable the event.
License Type
Results
Displays the type of Change Auditor license required for each event:
Any License
Active Directory
AD Query
Authentication Services
Cloud Storage
Defender
EMC
Exchange
File System
Logon Activity
Lync
NetApp
SharePoint
SonicWALL
SQL
Displays the result criteria used to capture change events. That is, you can use the
options in this column to specify if an event is to be captured based on the results of the
operation mentioned in the event.
All Results (default)
Success Only
Success and Failed Only
Success and Protected Only
For example, if you only want to capture successful events where the operation
occurred as stated in the event, you would set this to Success Only. Then, if the change
was prevented from occurring as stated in the event (because the object was protected
by Change Auditor or the operation was prevented due to a factor/setting outside of
Change Auditors control) the associated event would not be captured.

User Guide
148
Enable/disable event auditing

Change Auditor allows you to enable or disable events to best suit your organization. To view or modify the
current event auditing settings, use the Audit Events page, which is accessible through the Administration Tasks
tab.
NOTE: If event logging is enabled, enabling or disabling events in Change Auditor does NOT impact this
setting and events will continue to be sent to the appropriate Windows
event log.
To disable/enable individual events:

1
Click the Auditing task button at the bottom of the navigation pane (left pane) of the Administration
Tasks tab.
Select Audit Events (under the Configuration heading in the Auditing task list) to display the Audit
Events page.
To disable an event, use one of the following methods:
Select one or more enabled events and click the Disable tool bar button. (Use the Shift or Ctrl
keys to select multiple events.)
Select an enabled event, place your cursor in the corresponding Status cell, click the arrow
control and select Disabled from the drop-down menu.
Right-click an enabled event and select Disable.
To enable an event, use one of the following methods:
Select one or more disabled events and click the Enable tool bar button. (Use the Shift or Ctrl
keys to select multiple events.)
Select a disabled event, place your cursor in the corresponding Status cell, click the arrow
control and select Enabled from the drop-down menu.
Right-click a disabled event and select Enable.
NOTE: You can also disable or enable an event using the Disable/Enable tool bar button at the top of the
Event Details pane on a Search Results page.
Modify events severity level or event class

description
In addition, each event has been assigned a severity level and a description, which can also be changed based
on your organizations operation. To view or modify the current event auditing settings, use the Audit Events
page, which is accessible through the Administration Tasks tab.
To modify an events severity level:

1
Open the Audit Events page.
Use one of the following methods to change an events severity:
Select one or more events and click the appropriate Severity (High, Medium or Low) tool bar
button. Use the Shift or Ctrl keys to select multiple events.
Select an event, place your cursor in the corresponding Severity cell, click the arrow control and
select the appropriate severity level from the drop-down menu.
Right-click an event and select the appropriate severity level from the context menu.
To reset an events severity to the factory default, select one or more events and click the Default tool
bar button.
User Guide
149
To modify an event class description:

1
Select the event from the list and click the Edit tool bar button.
This will display the Rename dialog listing the existing description and allowing you to enter a new
description for the selected event.
In the New field, enter the new description for the selected event and click OK.
Define events to be captured based on

results
The Results column on the Audit Events page allows you to specify if an individual event is to be captured by
Change Auditor based on the results of the operation performed in the event. That is, you can specify to
capture an individual event based on the following results:
All Results - capture event regardless of the result returned.
Success Only - capture event only if the operation occurred as stated in the event.
Success and Failed Only - capture event if the operation occurred as stated in the event or if it was
prevented due to a factor/setting outside of Change Auditors control.
Success and Protected Only - capture event if the operation occurred as stated in the event or if it was
prevented because the object was protected using Change Auditors protection feature.
To change the results criteria for capturing an event:

1
Locate the event to be modified.
Place your cursor in the Results cell for that event, click the arrow control and select one of the
following options:
All Results (default)
Success Only
Change Auditor will now only capture and return the event if the operation mentioned if the event
meets the results criteria selected.
View event information

Change Auditor provides access to the associated Event Reference Guide which contains detailed descriptions
for each event, including how Change Auditor detected the configuration change event, what the changed
parameter controls, and the consequence of such a change.
To view the event reference guide:

1
Select an event from the list and click the Knowledge Base tool bar button or right-click command.
This will open the Event Reference Guide.

User Guide
150
18
Account Exclusion
Introduction
Excluded Accounts Auditing page
Excluded Accounts templates
Excluded Accounts wizard
Introduction
The account exclusion feature allows you to define a list of trusted accounts which are to be excluded from the
Change Auditor auditing process. This enables you to exclude events generated by accounts that make a large
number of changes or by accounts which are trusted.
To use the account exclusion feature, you must first complete the following steps to define the user/computer
accounts that can make changes without triggering an event in Change Auditor:
1
Create an Excluded Accounts template which specifies the user and/or computer accounts that are to be
excluded from the auditing process. For more information on creating a template, refer to Excluded
Accounts templates.
Add this template to an agent configuration. For more information on how to add a template to an agent
configuration, refer to Define agent configurations.
Assign the agent configuration to Change Auditor agents. For more information on how to assign an agent
configuration to an agent, refer to Assign agent configurations to server agents.
This section provides instructions for creating Excluded Accounts templates, as well as a description of the
Excluded Accounts page and Excluded Accounts wizard. For a description of the other dialogs mentioned in this
chapter, refer to the online help.
Excluded Accounts Auditing page

The Excluded Accounts Auditing page is displayed when Excluded Accounts is selected from the Auditing task in
the navigation pane of the Administration Tasks tab. From this page you can launch the Excluded Accounts
wizard to create a new template. You can also edit existing templates, disable/enable templates, and remove
templates that are no longer being used.
The Excluded Accounts Auditing page contains an expandable view of all the Excluded Accounts templates that
have been defined. To add a new template to this list, use the Add tool bar button. Once added, the following
information is provided for each Excluded Accounts template:
Template
Status
Indicates whether the template is enabled or disabled. To enable/disable the template, place your
cursor in this Status cell, click the arrow control and select the appropriate option from the drop-down
menu.
User Guide
151
Account
Operations
If specified, displays the event classes and/or facilities specified on the first page of the wizard that are
to be excluded for the account.
Click the expansion box to the left of the Template Name to expand this view and display the following details
about the template:
Type
Displays the type of account (i.e., user, computer or group) selected for exclusion as specified on the
second page of the wizard.
Account
Displays the name of the account selected for exclusion.
Display Name
If available, displays the display name assigned to the excluded accounts listed.
Excluded Accounts templates

In order to exclude accounts from Change Auditor auditing, you must first create an Excluded Accounts
template which specifies the user or computer accounts that are to be excluded. You can then add this
template to an agent configuration, which then needs to be assigned to the appropriate Change Auditor
agent(s).
To create an Excluded Accounts template:

1
Click the Auditing task button at the bottom of the navigation pane (left-hand pane).
Select Excluded Accounts (under the Configuration heading in the Auditing task list) to open the
Excluded Accounts Auditing page.
Click the Add tool bar button to launch the Excluded Accounts wizard which will step you through the
process of creating an Excluded Accounts template.
On the first page of the wizard, enter the following information:
Template Name - Enter a name for the template.
Optionally select the facilities/event classes to be excluded.
To add individual event classes, select one or more events from the displayed list and click
the Add | Add This Event button.
To add all the events in a facility, select an event from the facility and click the Add | Add
All Events in Facility button.
After providing a name and optionally selecting the facilities/event classes to be excluded, click Next.

User Guide
152
On the second page of the wizard, select the accounts that are to be excluded from Change Auditor
auditing.
Use the Browse or Search pages to locate and select the account to be excluded. Click the Add button to
add the selected account to the list box at the bottom of the page.
Repeat this step to add additional accounts to the exclusion list.
(Optional) To specify a wildcard search expression to dynamically exclude additional user accounts from
auditing, click Next.
On the Select Accounts to Exclude using Wildcards page, add the accounts to be excluded from auditing.
In the text box, enter the wildcard expression (string of characters and/or wildcard character) to be
used to search the Domain(NetBIOS)\NT 4 account name for matching users:
Use an asterisk (*) to substitute zero or more alphanumeric characters.
Use a question mark (?) to substitute a single alphanumeric character.
Click the Add button to add the string to the Account list.
NOTE: This page should be used to exclude multiple users that match the wildcard search
expression. Explicitly named user accounts must be specified on the previous page of the wizard.
8
After specifying the accounts to be excluded, click the Finish button to create the template without
assigning it to an agent configuration.
Clicking the Finish button will create the template, close the wizard and return to the Excluded
Accounts Auditing page, where the newly created template will now be listed.
To create the template and assign it to an agent configuration, expand the Finish button and click Finish
and Assign to Agent Configuration.
This will display the Configuration Setup dialog, allowing you to select the agent configuration to which
the template is to be assigned.
NOTE: Back on the Excluded Accounts Auditing page, you can also use the Assign tool bar button to
assign the selected template to an agent configuration. Clicking this button will display the
Configuration Setup dialog allowing you to select the agent configuration to which this template is
to be assigned.
10 On the Agent Configuration page, select the agent(s) assigned to use the modified agent configuration
and click the Refresh Configuration tool bar button. This will ensure the agent(s) are using the latest
configuration.
NOTE: If you do not refresh the agents configuration, the agent will automatically check for a new
agent configuration based on the polling interval setting (located on the System Settings tab of the
Configuration Setup dialog). The default is every 15 minutes.
To modify an Excluded Accounts template:

1
On the Excluded Accounts Auditing page, select the template to be modified and click the Edit tool bar
button or right-click command.
This will display the Excluded Accounts wizard, where you can modify the current list of accounts
included in the template.
Click the Finish button or expand the Finish button and click Finish and Assign to Agent Configuration.

User Guide
153
To disable an Excluded Accounts template:

The disable feature allows you to temporarily stop excluding the specified accounts without having to remove
the auditing template.
1
On the Auditing page, use one of the following methods to disable an auditing template:
Place your cursor in the Status cell for the template to be disabled, click the arrow control and
select Disabled.
Right-click the template to be disabled and select Disable.
2
To re-enable the auditing template, use the Enable option in either the Status cell or right-click menu.
To delete an Excluded Accounts template:

1
On the Auditing page, use one of the following methods to delete a template:
Select the template to be deleted and click the Delete | Delete Template tool bar button.
Right-click the template to be deleted and select Delete.
A dialog will be displayed confirming that you want to delete the selected template. Click Yes.
To delete an account from an Excluded Accounts template:

1
On the Excluded Accounts Auditing page, use one of the following methods to delete an account from an
auditing template:
Select the account to be deleted and click the Delete | Delete Excluded Account tool bar button
Right-click the account to be deleted and select Delete
A dialog will be displayed confirming that you want to delete the account from the template. Click Yes.
NOTE: If the account is the last one in the template, deleting this account will also delete the
template.
Excluded Accounts wizard

The Excluded Accounts wizard is displayed when you click the Add tool bar button on the Excluded Accounts
Auditing page. This wizard steps you through the process of creating a new Excluded Accounts template,
identifying the user, computer or group accounts to be included in the template. You will also use this wizard to
modify a previously defined Excluded Accounts template.
The following table provides a description of the fields and controls in the Excluded Accounts wizard:
cursor over this icon displays a tool tip explaining what needs to be entered.

User Guide
154
Table 27. Excluded Accounts wizard

Create or modify an Excluded Accounts Auditing Template page
On the first page of the wizard, enter a name for the template and optionally select the event
classes/facilities to be excluded.
Template Name
Enter a descriptive name for the Excluded Accounts template being created.
Facility/Event Class data The data grid located across the middle of the page displays all of the event classes
grid
available for auditing in Change Auditor.
By default, all event classes/facilities will be excluded for the selected account(s).
To exclude individual event classes and/or facilities, use this grid to select the
event class(es) and/or facilities to be excluded and use the Add button to add them
to the Exclusion list box at the bottom of the page.
NOTE: The Change Auditor Internal Auditing facility or events CANNOT be excluded.
Exclusion list
The list box located at the bottom of this page displays the individual event classes
or facilities selected for exclusion. Use the buttons above this list box to add or
remove entries from this list.
Add | Add This Event - Click this option to add the selected events to the
list box. This option is selected by default when more than one event is
selected in the data grid.
Add | Add All Events in Facility - Click this option to add all of the events in
the selected facility to the list box. This option is only available when a
single event is selected in the data grid.
Remove - Select an entry in the list box and click the Remove button to
remove it from the template.
NOTE: If you want to exclude all event classes/facilities for the selected account,
this list box will be empty.

User Guide
155

Select Accounts to Exclude page (a.k.a. Directory object picker)
Use this page to select the individual accounts to be excluded from auditing.
Browse page
Displays a hierarchical view of the directory objects in your environment allowing

you to locate and select the account(s) to be excluded from auditing.
Once you have selected an account, click the Add button to add it to the list box at
the bottom of the page.
Search page
Use the controls at the top of the Search page to search your environment to locate
the desired account.
Once you have selected an account, click the Add button to add it to the list box at
Options page
Use the Options page to modify the search options used to retrieve directory
objects.
NOTE: For more information on using the Browse, Search or Options pages, refer to Directory object picker.
Account list
The list box located across the bottom of this page, displays the accounts selected
for exclusion. Use the buttons located above this list box to add and remove
objects.
Add - Select an account in the Browse or Search page and click the Add
button to add it to the list.
Remove - Select an entry from the list and then click the Remove button to
remove it.
(Optional) Select Accounts to Exclude using Wildcards page

Use this page to optionally add additional user accounts (Domain(NetBIOS)\NT 4 account) that match a
wildcard search expression to the excluded accounts list.
NOTE: This page should be used to exclude multiple users that match the wildcard search expression.
Explicitly named user accounts must be specified on the previous page of the wizard.

User Guide
156

Search expression
In the text box, enter the string of characters and/or wildcard character to be used
to search for additional user accounts that are to be excluded from auditing. Valid
wildcards are:
Use an asterisk (*) to substitute zero or more characters.
Use a question mark (?) to substitute a single character.
Click the Add button to add the string to the Account list.
Account list
The list at the bottom of the page displays the wildcard search expressions to be
used to search for additional user accounts that are to be excluded from auditing.
Use the buttons to the left of the text box to add, remove and modify a search
expression.
Add - Click the Add button to add the search expression in the text box to
the Account list.
Remove - Select an entry in the Account list and click the Remove button to
remove it from the list.
Modify - Select an entry in the Account list, make the necessary changes to
the search expression (which is displayed in the text box) then click the
Modify button to replace it in the Account list.
NOTE: If you click the Add button after modifying a search expression, an
additional entry will be added instead of replacing the original search expression.

User Guide
157
19
VMware Auditing
Introduction
VMware Auditing page
VMware Auditing templates
VMware Auditing wizard
VMware events polling interval
Introduction
Change Auditors VMware
auditing feature helps you ensure the security, compliance and control of event
activity and the security of VMware vCenter . It manages, audits, reports and alerts on vital changes to
VMwares infrastructure, including datacenters, hosts, virtual machines and other resources associated with
vCenter or ESX
hosts.
NOTE: Throughout the Change Auditor product and documentation, references to ESX means all
supported versions of ESX and ESXi.
This section provides a description of the VMware Auditing page and explains how to create a VMware Auditing
template. It also provides a description of the VMware Auditing wizard used to specify the VMware hosts that
are to be audited. For a description of the dialogs mentioned in this chapter, refer to the online help.
VMware Auditing page

The VMware Auditing page is displayed when VMware is selected from the Auditing task list in the navigation
pane of the Administration Tasks page. From this page you can launch the VMware Auditing wizard to define
VMware Auditing templates specifying the VMware host(s) to be audited. You can also edit existing templates,
disable/enable templates and delete templates that are no longer being used.
The VMware Auditing page contains an expandable view of all the VMware Auditing templates that have been
previously defined. To add a new template to this list, use the Add tool bar button. Once added, the following
information is displayed for the template:
Template
Status
menu.
Agent
Displays the name of the Change Auditor agent assigned to audit the selected VMware host(s).
User Guide
158
User
Displays the name of the user being used to access the VMware host(s) that are being audited.
VMware Hosts
Click the expansion box to the left of the Template name to expand this view and display additional details
about an auditing template.
VMware Host
Displays the name or IP address of the vCenter Server or VMware host being audited, as entered on the
first page of the wizard.
Status
Indicates whether auditing of the selected host is enabled or disabled.
Port
Displays the port number being used to access the selected vCenter Server or VMware host.
provided throughout the Change Auditor client, see the Dell Change Auditor User Guide.
VMware Auditing templates
To enable VMware auditing in Change Auditor, you must first create a VMware Auditing template which
specifies the VMware hosts to be audited and the Change Auditor agent to be used to monitor the selected
VMware hosts.
NOTE: If you add multiple machines (such as vCenter Servers and/or ESX hosts) to a single auditing
template, all of these machines must use the same credentials. If you want to audit machines that use
different credentials, you must create a different VMware Auditing template for each of these machines.
To create a VMware auditing template:

1
Click the Auditing task button at the bottom of the navigation pane (left pane).
Select VMware (under the Applications heading in the Auditing task list) to open the VMware Auditing
page.
Use the Add tool bar button to launch the VMware Auditing wizard which will step you through the
process of creating a VMware Auditing template.
On the first page of the wizard, enter the following information:
Template Name - Enter a name for the template.

User Guide
159
VMware Host - Enter the IP address or name (the name entered must be resolvable) of the
vCenter Server or of an individual host computer to be audited and click the Add button to add it
to the VMware Host list.
NOTE: To audit one or more hosts on a specific vCenter Server, use the Find ESX Hosts
button to search for and select the ESX host(s) to be audited. Clicking this button displays
the Find ESX Hosts dialog, where you will be asked to enter the information/credentials for
the vCenter Server for which you want to view ESX hosts. After entering the vCenter Server
information/credentials, click Search to retrieve a list of hosts. Select one or more hosts
from the list and click OK to save your selection and close the dialog. The selected hosts
will now be displayed in the VMware Host list in the auditing wizard.
Repeat this step to add additional VMware hosts to the list.

6
Click Next to select the Change Auditor agent to be used for VMware auditing.
On the second page of the wizard, click the Browse button.

On the Eligible Change Auditor Agents dialog, select the Change Auditor agent to be used to monitor the
selected VMware host(s).
NOTE: The Change Auditor agent must have access to the vCenter Server or VMware host(s)
selected on the first page of the wizard.
Once you have selected an agent, click the OK button to save your selection and close this dialog. Back
on the wizard page, the agent information (Agent, Domain and Agent FQDN) is displayed for the selected
Change Auditor agent.
Click the Set Credentials button and enter the credentials to be used to access the selected vCenter
Server or VMware host(s). After entering the credentials, click the OK button to close the credentials
dialog.
IMPORTANT: You can select an account with Read-Only access or role (for restrictions) to properly
audit VMware events. The credentials entered may be Active Directory or Linux credentials
depending on the machine (vCenter Server vs. individual host computer) selected for auditing.
If you specified multiple machines (i.e., vCenter Servers and/or ESX hosts) in the auditing
template, all of these machines must use the same credentials.
A desktop notification indicates whether access is granted or denied to the specified vCenter Server or
VMware host based on the credentials entered.
9
When valid credentials are entered, a Certificate Notice is displayed for each machine selected for
auditing. Click OK to accept the certificate(s). Once valid credentials are supplied and the certificate(s)
have been accepted, click the Finish button to close the wizard and create the template.
10 On the Administration Tasks tab, click the Configuration task button at the bottom of the navigation
pane. Select Agent in the Configuration task list to open the Agent Configuration page.
11 Select the Change Auditor Agent assigned to the VMware Auditing template (Auditing appears in the
VMware column) and click the Refresh Configuration tool bar button or right-click command. This will
ensure the agent is using the latest configuration.
To disable a VMware Auditing template:

1
select Disabled.

User Guide
160
2
To disable auditing for an individual VMware host:

1
On the VMware Auditing page, use one of the following methods to disable the auditing of a VMware
host:
Place your cursor in the Status cell for the host to be disabled, click the arrow control and select
Disabled
Right-click the host to be disabled and select Disable
The entry in the Status column for the host will change to Disabled.
2
To re-enable the auditing of a host, use the Enable option in either the Status cell or right-click menu.
To delete a VMware Auditing template:

1
VMware Auditing wizard

The VMware Auditing wizard is displayed when you click the Add or Edit tool bar button on the VMware Auditing
page. From this wizard, specify the VMware
monitor the selected VMware host(s).
hosts to be audited and the Change Auditor agent to be used to
The following table provides a description of the fields and controls in the VMware Auditing wizard.

User Guide
161
Table 28. VMware Auditing wizard

Create or modify a VMware Auditing Template page
Use the first page of the wizard to enter a name for the template and select the VMware host(s) to be audited.
Template Name
VMware Host
Enter a descriptive name for the VMware auditing template being created.
Enter the IP address or name (must be resolvable) of the vCenter
VMware host that is to be audited.
Server or of a
Add
After entering the IP address or name of a host in the VMware Host text box, use
the Add button to add the host to the VMware Host selection list.
Find ESX Hosts
Clicking this button displays the Find ESX Hosts dialog allowing you to search a
vCenter Server to select the ESX hosts that are to be audited. On this dialog,
enter the IP address or name (and port) of the vCenter Server for which you want
to view ESX hosts. Click Search to retrieve a list of hosts on the selected vCenter
Server. Select one or more hosts from the list and click OK to save your selection
and close the dialog.
Remove
To remove a host from auditing, select it in the VMware Host selection list and
click the Remove button to the right of the list box.
VMware Host selection list This list box displays the following information about the VMware hosts selected
for auditing.
VMware Host - Displays the IP address or name of the host selected for
auditing.
Port - Displays the port to be used for communication. This will display the
default SSL port (443). If this is not the correct port number for a host, use
the arrow controls to change it.

User Guide
162
Table 28. VMware Auditing wizard

Select Change Auditor Agents page
Use the second page of the wizard to select the Change Auditor agent to be used to monitor the selected
VMware host(s) and to enter the credentials to be used to access the VMware host(s).
NOTE: If you select multiple hosts in an auditing template, all of the hosts selected must use common
credentials.
Browse
Clicking the Browse button displays the Eligible Change Auditor Agents dialog
allowing you to select an agent from the list of deployed agents.
NOTE: The Eligible Change Auditor Agents dialog only lists eligible servers running
.NET 4.0 Framework, which is a requirement for the agent selected to audit
VMware.
Once an agent is selected the following details are displayed:
Set Credentials
Agent
Domain
Agent FQDN
User (after valid credentials have been entered using the Set Credentials
button)
Clicking the Set Credentials button displays the VMware Host Credentials dialog
allowing you to enter the credentials to be used to access the machine(s) (vCenter
Servers and/or hosts) selected on the first page of the wizard.
NOTE: If you specified multiple machines (i.e., vCenter Servers and/or ESX hosts)
in the auditing template, all of these machines must use the same credentials.
NOTE: Valid credentials must be entered in order to proceed.
Clear Credentials
Clicking the Clear Credentials button allows you to clear previously entered
credentials.
Change Auditor Agent
Once a Change Auditor agent has been selected, the following information is
displayed:
Agent
Domain
Agent FQDN
User

User Guide
163
VMware events polling interval

From the Agent Configuration page on the Administration Tasks tab you can view and/or modify the VMware
polling interval.
Use the VMware tab at the top of the Configuration Setup dialog to define the polling interval to be used to
retrieve VMware events.
Polling Interval
This setting determines how often the agent will poll the VMware host(s) for new VMware events. The
default is every 60 seconds. Use the arrow controls to increase or decrease this value.
Valid range: 60 - 9999 seconds.

User Guide
164
20
Registry Auditing
Introduction
Registry Auditing page
Registry Auditing templates
Registry Auditing wizard
Introduction
The ability to audit registry settings improves operational efficiency dramatically. For example, some
applications, such as virus scanning software, modify registry keys when an update is installed. By capturing
these change events proactively, administrators can determine whether or not specific machines received an
update.
Furthermore, other applications may warrant the tracking of modifications to certain registry settings to ensure
that they have not been tampered with. Change Auditors enhanced registry auditing feature allows you to audit
changes to a specific key or to a folder and its sub folders.
To capture registry events in Change Auditor, you must first complete the following steps to define the registry
keys to be audited and the events to be captured:
1
Create a Registry Auditing template which specifies the registry keys and events to be audited. For more
information on creating a Registry Auditing template, refer to Registry Auditing templates.
Add this template to an agent configuration. For more information on adding a Registry Auditing
template to an agent configuration, refer to Define agent configurations.
Assign the agent configuration to Change Auditor agents. For more information on assigning an agent
NOTE: Event logging is disabled by default; and when enabled, only configured activities will be captured
in the Windows event log.
This section provides instructions for creating Registry Auditing templates, as well as a description of the
Registry Auditing page and Registry Auditing wizard. For a description of the other dialogs mentioned in this
chapter, refer to the online help.

User Guide
165

The Registry Auditing page is displayed when Registry is selected from the Auditing task list in the navigation
pane of the Administration Tasks page. From this page you can launch the Registry Auditing wizard to specify a
registry key to be audited. You can also edit existing templates, disable/enable templates and remove
templates that are no longer being used.
The Registry Auditing page contains an expandable view of all the Registry Auditing templates that have been
previously defined. To add a new template to the list, use the Add tool bar button. Once added, the following
information is provided for the template:
Template
Status
menu.
Registry Keys
Click the expansion box to the left of the Template name to expand this view and display additional details
about an auditing template.
Registry Key
Displays the name of the file path for the registry key in the HKEY_LOCAL_MACHINE hive which was
selected for auditing on the Key page of the wizard.
Status
Indicates whether auditing of the registry key is enabled or disabled. To enable/disable the auditing of
the registry key, place your cursor in this Status cell, click the arrow control and select the appropriate
option from the drop-down menu.
User Guide
166
Scope
Displays the scope selected for this template on the Key page of the wizard:
This object only
This object and child objects only
This object and all child objects
Value
If applicable, this column displays the specific value selected for auditing (only applies to This object
and child objects only scope).
Operations
Displays the events selected for auditing on the Events page of the wizard. Hover your mouse over this
cell to view all of the events included in the template.
Exclude
Displays the names of the sub keys to be excluded from auditing as specified on the Exclusions tab of the
wizard.
Registry Auditing templates

In order to enable custom registry auditing in Change Auditor, you must first create a Registry Auditing template
which specifies the registry keys and events to be audited. You can then assign this template to an agent
configuration, which then needs to be assigned to the appropriate Change Auditor agents.
To create a Registry Auditing template:

1
Click the Auditing task button from the bottom of the navigation pane (left-hand pane).
Select Registry (under the Server heading in the Auditing task list) to open the Registry Auditing page.
Click the Add tool bar button to launch the Registry Auditing wizard which will step you through the
process of creating a Registry Auditing template.
Enter or use one of the Browse options to locate and select the registry key in the HKEY_LOCAL_MACHINE
hive to be audited.
Selecting the Browse | Local Registry option displays the Select registry key dialog allowing you
to select a registry key from the local server.
Selecting the Browse | Remote Registry option displays the Select Active Directory Object dialog
allowing you to select the server whose registry you would like to browse. Use the Browse or
Search pages to locate and select the server. On the Select registry key dialog select the registry
key to be audited.
Once you have selected the registry key to be audited, click the Add button to add it to the selection
list.
Repeat this step to add additional registry keys to the template.
User Guide
167
For each registry key listed, select the key in the list and perform steps 8 - 11 to specify the scope,
events, values and optionally any sub keys that are to be excluded.
In the Scope cell, use the drop-down menu to select the scope of coverage:
This object only
This object and child objects only
This object and all child objects (default)
On the Events tab select the key and value events that are to be included in the audit.
NOTE: Selecting the Key Events or Value Events check box at the top of the events list on the
Events tab will select all of the events listed under the heading. Similarly, clearing the check boxes
will clear all of the selected events.
10 If you selected the This object and child objects only option in the Scope cell, you can also specify a
specific value for the selected key. To audit a specific value, open the Value tab and enter the value in
the text box provided.
11 (Optional) On the Exclusions tab, add the names of any sub keys to be excluded from auditing. Use one
of the Browse options to locate and select a sub key under the selected registry key to be excluded from
auditing:
Selecting Browse | Local Registry displays the Select registry key dialog allowing you to select a
sub key from the local server.
Selecting Browse | Remote Registry displays the Select Active Directory Object dialog allowing
you to select the server whose registry you would like to browse. Use the browse or search pages
to locate and select the server. From the Select registry key dialog, select the sub key to be
excluded.
NOTE: If you select a sub key that does not belong to the selected registry key, the wizard will not
allow you to continue. A red flashing icon is displayed indicating that you have selected a sub key
outside of the selected registry key.
You can also enter the name of the sub key to be excluded or use a file mask to select a group of sub
keys. A file mask can contain any combination of the following:
Fixed characters such as letters, numbers and other characters allowed in sub key names.
Asterisk (*) wildcard character to substitute zero or more characters.
Question mark (?) wildcard character to substitute a single character.
Once you have specified a sub key for exclusion, click the Add button to add it to the Exclusions list at
Repeat this step to add additional sub keys to the Exclusions list.
12 To create the template without assigning it to an agent configuration, click the Finish button.
Clicking the Finish button will create the template, close the wizard and return to the Registry Auditing
page, where the newly created template will now be listed.
13 To create the template and assign it to an agent configuration, expand the Finish button and click the
Finish and Assign to Agent Configuration option.
This will display the Configuration Setup dialog allowing you to select the agent configuration to which
this template is to be assigned.
NOTE: On the Auditing page, you can also use the Assign tool bar button to assign the selected
template to an agent configuration. Clicking this button will display the Configuration Setup dialog
allowing you to select the agent configuration to which this template is to be assigned.
and click the Refresh Configuration tool bar button. This will ensure the agents use the latest
configuration.

User Guide
168
To modify a Registry Auditing template:

1
On the Registry Auditing page, select the registry key whose properties are to be modified, and click the
Edit tool bar button or right-click command.
This will display the Registry Auditing wizard, where you can modify the following properties:
Registry key
Scope
Events (Events tab)
Value (Value tab)
Excluded sub keys (Exclusions tab)
Once you have made your modifications, click the Finish button or expand the Finish button and click
Finish and Assign to Agent Configuration.
To disable a Registry Auditing template:

The disable feature allows you to temporarily stop auditing the specified registry key without having to remove
the auditing template or individual registry key from an active template.
1
select Disabled.
2
To disable the auditing of a registry key in an auditing template:

1
On the Registry Auditing page, use one of the following methods to disable an individual registry key:
Place your cursor in the Status cell for the registry key to be disabled, click the arrow control and
select Disabled from the drop-down menu
Right-click the registry key to be disabled and select Disable
The entry in the Status column for the registry key will change to Disabled.
2
To re-enable the auditing of a registry key, use the Enable option in either the Status cell or right-click
menu.
To delete a Registry Auditing template:

1

User Guide
169
To delete a registry key from an auditing template:

1
On the Registry Auditing page, use one of the following methods to delete a registry key from an auditing
template:
Select the registry key to be deleted and click the Delete | Delete Registry Key tool bar button
Right-click the registry key to be deleted and select Delete
Select the template to be deleted and click the Edit tool bar button or right-click command. On
the Registry Auditing wizard, select the registry key to be removed and click the Remove button.
A dialog will be displayed confirming that you want to delete the registry key from the template. Click
Yes.
NOTE: If the registry key is the last one in the template, deleting this registry key will also delete
the template.
Registry Auditing wizard

The Registry Auditing wizard is displayed when you click the Add tool bar button on the Registry Auditing page.
From this wizard, select the registry key to be audited as well as the events to be audited.
The following table provides a description of the fields and controls in the Registry Auditing wizard.
cursor over this icon displays a tool tip explaining what needs to be entered. A green check mark indicates
that the required information has been specified and you are ready to proceed.
Table 29. Registry Auditing wizard

Create or modify a Registry Auditing Template page
Use the first page of the wizard to enter a name for the template and select the registry key(s) to be audited.
Template Name
Enter a descriptive name for the Registry Auditing template being created.
Registry key in the

HKEY_LOCAL_MACHINE hive
Enter or use one of the browse options to select the registry key in the
HKEY_LOCAL_MACHINE hive to be audited.

User Guide
170

Expand the browse button to browse for and select a registry key:
Local Registry - select this option to browse and select a registry key
from the local computer
Remote Registry - select this option to browse and select a registry key
from a remote server. Selecting this option displays the Select Active
Directory Object dialog allowing you to select the server whose registry
you would like to browse. Use the browse or search pages to locate and
select the server.
NOTE: Make sure that the selected remote computer is on the network, has
remote administration enabled and that both computers are running the
remote registry service. If the remote computer does not allow remote admin
access, a message will be displayed explaining that you need to select a
different server.
Registry Keys list
The list box located across the middle of the page displays the registry keys to
be included in the Registry Auditing template. Use the Add and Remove
buttons to control the contents of this list:
Add - Use the Add button to add the specified registry key to the
template.
Remove - Select a registry key from the list and click the Remove
button to remove the selected registry key from the template.
Use the drop-down box in the Scope cell of the list box to specify the scope of
coverage:
This object only - select this option to audit only this key, not its values
or sub keys.
This object and child objects only - select this option to audit this key,
its values and direct sub keys only. This is not recursive.
This object and all child objects - select this option to audit this key,
all sub keys and all values. (Default)
Select a key in this list to enable the corresponding Events, Value and
Exclusions tabs at the bottom of this page.
Events tab
Use the Events tab to select the type of events (e.g., registry key added, registry key deleted) that are to be
audited for the selected registry key. The contents of this tab is based on the entry selected above in the
Registry Keys list.
Key Events
Select the Key events to audit. Select the Key Events check box to select all of
the Key events listed or select individual events from the list.
Value Events
Select the Value events to audit. Select the Value Events check box to select
all of the Value events listed or select individual events from the list.

User Guide
171

Value tab
If you selected the This object and child objects only option in the Scope cell, this additional tab will be
displayed allowing you to enter a specific value to be audited for the selected key.
Audit a specific value
Enter the value to be audited for the selected key.
Exclusions tab (Optional)

Use the Exclusions tab to exclude sub keys in the selected registry key from being audited.
Add the sub keys to exclude

from auditing
To exclude a sub key in the selected registry key from being audited, expand
the browse button and select one of the browse options to browse either the
local or remote server for the sub key.
You can also enter the name of the sub key to be excluded from auditing. Use a
file mask to select a group of sub keys. A file mask can contain any combination
of the following:
Fixed characters such as letters, numbers and other characters allowed

in the name of sub keys.
Asterisk (*) wildcard character to substitute zero or more characters.
Question mark (?) wildcard character to substitute a single character.
Once you have specified a sub key for exclusion, click the Add button to add it
to the Excluded Keys list at the bottom of the page.

User Guide
172

Expand the browse button and select one of the following options:
Local Registry - select this option to select a sub key from the local
server.
Remote Registry - select this option to select a sub key from a remote
registry. Selecting this option displays the Select Active Directory
Object dialog allowing you to select the server whose registry you would
like to browse. Use the browse or search pages to locate and select the
server.
NOTE: Make sure that the selected remote computer is on the network, has
remote administration enabled and that both computers are running the
remote registry service. If the remote computer does not allow remote admin
access, a message will be displayed explaining that you need to select a
different server.
Excluded Keys list
The list across the bottom of this page contains the sub keys that are to be
excluded from auditing. Use the Add and Remove buttons to add and remove
entries.
Add - Use the Add button to add the specified sub key to the Excluded
Keys list.
Remove - Select an entry in the Excluded Keys list and click the
Remove button to remove it.

User Guide
173
21
Service Auditing
Introduction
Services Auditing page
Service Auditing templates
Service Auditing wizard
Introduction
Windows services are the backbone of applications and require frequent administrator actions. Changes can
be simple, such as changing a startup type or service account password. But, even the simple changes can cause
major issues. In fact, in this case it would render an application useless to its users. Change Auditor provides
service auditing capabilities, including the ability to track who starts and stops a service.
To capture service events, you must first complete the following steps to define the services to be audited:
1
Create a Service Auditing template which specifies the system service(s) to be audited or excluded from
auditing. For more information on creating a template, refer to Service Auditing templates.
NOTE: On an upgrade, Change Auditor will apply a default Service Auditing template to the Default
Configuration which will audit all services as the product did in the past. To specify individual
services, you will need to modify this auditing template for the Default Configuration or create and
apply a new Service Auditing template.
Add this template to an agent configuration. For more information on how to add a template to an agent
configuration, refer to Define agent configurations.
Assign the agent configuration to Change Auditor agents. For more information on how to assign an agent
NOTE: Event logging is disabled by default; and when enabled, only configured activities will be captured
in the Windows event log.
This section provides instructions for creating Service Auditing templates, as well as a description of the Service
Auditing page and Service Auditing wizard. For a description of the other dialogs mentioned in this chapter,
refer to the online help.

The Services Auditing page is displayed when Services is selected from the Auditing task list in the navigation
pane of the Administration Tasks tab. From this page you can launch the Service Auditing wizard to define the
system services to be included in the auditing template. You can also edit existing templates, disable/enable
templates and remove templates that are no longer being used.

User Guide
174
The Service Auditing page contains an expandable view of all the Service Auditing templates that have been
previously defined. To add a new template to this list, use the Add tool bar button. Once added, the following
information is provided for each template:
Template
Status
menu.
Exclude
Displays the option selected to determine which services are to be included or excluded from auditing:
Audit ALL
Audit all EXCEPT
Audit ONLY
Services
When individual services have been included in a Service Auditing template, click the expansion box to the left
of the Template name to expand this view and display the following details:
Service
Displays the name of the service(s) included in the template.
Status
Indicates whether auditing of the service is enabled or disabled. To enable/disable the auditing of the
service, place your cursor in this Status cell, click the arrow control and select the appropriate option
from the drop-down menu.
Display Name
Displays the display name for the listed services.
Service Auditing templates

In order to enable service auditing in Change Auditor, you must first create a Service Auditing template which
specifies the system services to be audited or those to be excluded from auditing. You can then assign this
template to an agent configuration, which then needs to be assigned to the appropriate Change Auditor agents.
To create a Service Auditing template:

1

User Guide
175
Click the Auditing task button at the bottom of the navigation pane (left-hand pane).
Select Services (under the Server heading in the Auditing task list) to open the Services Auditing page.
Click the Add tool bar button to launch the Service Auditing wizard which allows you to define the
system services to be included in the template.
Select one of the following options to define whether this template is to include or exclude system
services for auditing:
Audit ALL services (default)
Audit ALL services except the following
Audit ONLY the following services
If you selected either the Audit ALL services except the following or the Audit ONLY the following
services option, the data grid will be activated allowing you to select the services to be included or
excluded depending on the option selected.
From the services listed, select one or more services and click the Add button to move them to the list
box located at the bottom of the page. Or you can use the Add All button to move all of the services
listed to the list box.
If you would like to view the services on a different server, click the browse button to the far right of the
field entitled You are viewing services on.
Clicking the browse button will display the Select a Directory Object dialog, where you can use either
the Browse or Search pages to locate and select a different server. After selecting the server to be
viewed, click the Select button to close the dialog and display the services found on the selected server.
To create the template without assigning it to an agent configuration, click the Finish button.
Clicking the Finish button will create the template, close the wizard and return to the Services Auditing
page, where the newly created template will now be listed.
10 To create the template and assign it to an agent configuration, expand the Finish button and click Finish
and Assign to Agent Configuration.
This will display the Configuration Setup dialog allowing you to select the agent configuration to which
this template is to be assigned.
NOTE: Back on the Auditing page, you can also use the Assign tool bar button to assign the selected
template to an agent configuration. Clicking this button will display the Configuration Setup dialog
allowing you to select the agent configuration to which this template is to be assigned.
and click the Refresh Configuration tool bar button. This will ensure the agent(s) are using the latest
configuration.
To modify a template:
1
On the Services Auditing page, select the template to be modified and click the Edit tool bar button or
right-click command.
This will display the Service Auditing wizard, where you can modify the current list of services included
in the template.
Click the Finish button or expand the Finish button and click Finish and Assign to Agent Configuration.

User Guide
176
To disable a template:
The disable feature allows you to temporarily stop auditing the specified service without having to remove the
auditing template or individual service from an active template.
1
select Disabled.
2
To disable the auditing of a service in a template:

1
On the Services Auditing page, use one of the following methods to disable a service:
Place your cursor in the Status cell for the service to be disabled, click the arrow control and
select Disabled
Right-click the service to be disabled and select Disable
The entry in the Status column for the service will change to Disabled.
2
To re-enable the auditing of a service, use the Enable option in either the Status cell or right-click
menu.
To delete a template:
1
To delete a service from an auditing template:

1
On the Services Auditing page, use one of the following methods to delete a service from an auditing
template:
Select the service to be deleted and click the Delete | Delete Service tool bar button
Right-click the service to be deleted and select Delete
Select the template to be modified and click the Edit tool bar button or right-click command. On
the wizard, select the service to be deleted and click the Remove button.
A dialog will be displayed confirming that you want to delete the service from the template. Click Yes.
NOTE: If the service is the last one in the template, deleting this service will also delete the
template.
Service Auditing wizard

The Service Auditing wizard is displayed when you click the Add tool bar button on the Services Auditing page.
Using this wizard you can define the system services to be included in the template.
The following table provides a description of the fields and controls in the Service Auditing wizard.

User Guide
177
Table 30. Service Auditing wizard

Create or modify a Service Auditing Template page
Use this page to enter a name for the template and select the services that are to be audited.
Template Name
Enter a descriptive name for the Service Auditing template being created.
Inclusion/Exclusion options
Select one of the following options to define whether this template is to

include or exclude system services for auditing:
Service data grid
Audit ALL services (default)
Audit ALL services except the following
Audit ONLY the following services
If you selected either the Audit ALL services except the following or the
Audit ONLY the following services option, the data grid will be activated
allowing you to select the services to be included or excluded depending on
the option selected.
Select the service(s) to be included in the template and click the Add button
to add them to the list box at the bottom of the dialog.
You are viewing services on
Displays the name of the server from which the service data grid was
populated.
Use the browse button to the right of this field to select a different server. The
services found on the selected server will then be displayed.
Services list
The list box located across the bottom of the page displays the individual
services to be included in the Services Auditing template. Use the buttons
above this list box to add or remove services.
Add - Use the Add button to add the service(s) selected in the Services
data grid to the list.
Add All - Use the Add All button to add all of the services listed in the
Service data grid to the list.
Remove - Select a service entry in the list and click the Remove button
to remove it from the template (move it back into the Services data
grid).
NOTE: If you want to audit all services, this list will be empty.

User Guide
178
22
Agent Statistics and Logs
Introduction
Agent Statistics page
Agent system tray icon
View agent status/statistics
Manage Change Auditor agents
Agent Log page
View and save agent trace logs
Introduction
In addition to the overview information provided in the Top Agent Activity pane and Agent Status pane on the
Overview page, Change Auditor provides two additional means of obtaining agent status and statistics:
The Agent Statistics page provides a global view of all installed (and if selected, uninstalled) Change
Auditor agents, including the current status and other usage statistics for each agent.
The Change Auditor Agent Status dialog, which is accessed using the Change Auditor agent system tray
icon, provides the status and usage statistics for a single agent.
You can also view or retrieve agent trace logs from the Agent Statistics page or by using the Change Auditor
agent system tray icon.
This chapter provides a description of the Agent Statistics page as well as the agent system tray component and
explains how to use these features to maintain Change Auditor agents.

Use the View | Statistics | Agent menu command (or Ctrl+F11) to display the Agent Statistics page, which
provides a global view of all installed Change Auditor agents. This page contains the following components:
Agent Statistics grid, located at the top of the page, consists of a list of Change Auditor agents and their
current status and usage statistics.
Resource Properties pane, located across the bottom of the page, displays additional information about
the selected agent.

User Guide
179
Agent Statistics grid

NOTE: When agents are connected or disconnected, an Agent Status message will be displayed in the
lower right corner of your screen. You can use the View Agent Statistics link in this message box to display
the Agent Statistics page.
The Agent Statistics grid may contain the following information for each agent. The default column identifies
the fields that are displayed by default. To display different fields, click the Field Chooser button
the far left of the column headings and select the columns to be displayed:
located to
Table 31. Agent Statistics page: Field descriptions

Column
Default
Active Directory
No
Description
ADAM
No
Indicates whether custom ADAM (AD LDS) auditing or protection has

been defined.
Agent
Yes
Displays the NetBIOS name of the server that hosts a Change Auditor
agent.
Agent FQDN
No
Displays the fully qualified domain name of the agent.
Architecture
No
Displays whether the agent is installed in a 32-bit (x86) or 64-bit (x64)

environment.
Configuration
No
Displays the agent configuration assigned to the agent.
Coordinator
No
Displays the computer name of the Change Auditor coordinator(s) to

which the agent is connected.
DB Size
Yes
Displays the size of the agent database.
Domain
Yes
Displays the name of the domain where the agent is located.
EMC
No
No
Indicates whether custom Active Directory

been defined.
auditing or protection has
Auditing template
Indicates whether the agent is assigned to an EMC

to capture EMC events.
Displays the number of events encountered on the agent during the past
24 hours from when the dialog is initially opened during the current
client session.
quick search to display the events generated in the last 24 hours.
Events Last Hour
No
Displays the number of events encountered on the agent in the last 60

minutes from when the dialog is initially opened during the current
client session.
quick search to display the events generated in the last 60 minutes.

User Guide
180

Column
Default
Description
Events Today
Yes
Displays the number of events encountered on the agent since 12:00

a.m. of the current day (based on the relative coordinator computer's
time).
quick search to display the events generated today.
Events Total
Yes
Displays the number of events encountered since the agent was started.
quick search to display all events encountered since the agent was
started.
Events Yesterday
No
Displays the number of events encountered between 12:00 a.m.

yesterday and 12:00 a.m. of the current day (based on the relative
coordinator computer's time).
quick search to display the events generated yesterday.
Exchange
No
For agents hosting Exchange, this column indicates whether Exchange

Mailbox auditing or Exchange Mailbox protection has been defined.
Exchange Server
No
Indicates whether the server is an Exchange Server.
Exclude Account
No
Indicates whether an Excluded Accounts Auditing template has been

assigned to the agents configuration.
File System
No
Indicates whether a File System Auditing template or File System

Protection template has been assigned to the agents configuration.
Forest
No
Group Policy
No
Indicates whether Group Policy protection has been defined.
IP Address
No
Displays the IP address of the agent.
Last Update
Yes
Displays the date and time when the agent configuration was last
updated.
Load
Yes
Displays the load status of the agent service in regards to processing

events. Valid entries are:
Normal - agent service is running and processing events as

expected
Medium - agent service has more than 100 events waiting
Critical - agent service has reached a critical load and events

may be missed
Unknown - agent service is inactive; therefore, the load is

unknown
Message
Yes
Displays information pertaining to agents deployed to monitor cloud

storage events. It will display an alert when a computer restart is
required or if any issues have occurred during the deployment.
NetApp
No
Registry
No
Indicates whether a Registry Auditing template has been assigned to the

Service
No
Displays whether a Service Auditing template has been assigned to the

SharePoint
No
SQL
No
Indicates whether an agent is assigned to a NetApp

to capture NetApp filer events.
Auditing template
Indicates whether an agent is assigned to a SharePoint

template to capture SharePoint events.
Auditing
Indicates whether a SQL Auditing template has been assigned to the

User Guide
181

Column
Default
Description
Startup Time
No
Displays the date and time when the agent was last initialized.
Status
Yes
Displays the current status of the agent:
Type
No
active
inactive
uninstalled
Displays the agent platform:
Domain Controller
Global Catalog
Server
Workstation
Uptime
Yes
Displays how long the agent has been running.
Version
No

deployed.
VMware
No
Workstation
No
Indicates whether an agent is assigned to a VMware Auditing template

to capture VMware events.
Indicates whether this is a workstation agent.
In addition to selecting the fields to be displayed in the grid, you can use the drop-down controls above the grid
to define what servers/workstations are to be included on the Agent Statistics page.
The following table describes how to use these controls to filter the content displayed on the Agent Statistics
page.
Table 32. Agent Statistics page: Filter controls
Control
Description
Type
Use the left-most control to specify the type of objects to be included in the
display:
Active Directory view
All - select to view all agented servers and workstations (default)
DCs - select to view agented domain controller servers
Servers - select to view agented servers regardless of domain membership
Workstations - select to view agented workstations (including workstations

joined to the domain and workstation agents manually installed on nonActive Directory machines)
By default, the Agent Statistics page provides a forest view of the servers found.
However, you can use the right-most controls to limit your view to an individual
domain or site.
Use the middle control to select the Active Directory view (forest, domain or site)
then use the right-most control to select an individual forest, domain or site for
which servers are to be displayed.

User Guide
182
Resource Properties pane

The Resource Properties pane located across the bottom of the Agent Statistics page contains additional
information about the agent selected in the Agent Statistics grid.
To display the Resource Properties pane:

1
Use one of the following methods to display this pane:
select an agent from the Agent Statistics grid and click the Show Properties tool bar button
right-click an agent entry on the Agent Statistics grid and select Show Properties
Use the hide button

pane.
in the upper right-hand corner of the Resource Properties pane to hide this
NOTE: The Resource Properties pane also appears when you use the Related Search | View Resources
tool bar option on an Event Details pane. When accessed using the Event Details pane, the additional
information is for the server referenced in the selected event.
The Resource Properties pane is divided into the following tabbed pages:
Machine Info page
Processors page
Drives page
Shares page
Services page
Exchange Mailboxes page
Machine Info page

The Machine Info page contains the following operating system and hardware-related information for the
selected server.
Table 33. Resource Properties pane: Machine Info page field descriptions
Field
Description
TimeZone
The local machines time zone.
Offset (Hours)
The amount of time the unitary computer system is offset from Coordinated
Universal Time (UTC).
Operating System
The left pane contains the following operating system details:
OS
The operating system running on the machine.
Version
The operating system version running on the machine.
Installed
The date and time when the operating system was installed on the machine.
Last Restart
The date and time when the machine was last restarted.

User Guide
183
Table 33. Resource Properties pane: Machine Info page field descriptions
Field
Description
Language
The language version of the operating system installed.
SKU
The unique identifying number (SKU) assigned to the machine.
Service Pack
The version number of the latest Service Pack installed on the system.
Windows
The Windows
directory of the operating system.
Computer System
The right pane contains the following computer system information:
Computer
The full name assigned to the computer.
Host Name
The name of the local computer according to the domain name server (DNS).
Domain
The domain to which the agented server belongs.
Domain Role
The role assigned to the computer within a domain workgroup. Possible values
include:
0: Standalone Workstation
1: Member Workstation
2: Standalone Server
3: Member Server
4: Backup Domain Controller
5: Primary Domain Controller
Model
The manufacturers model number for the computer.
Roles
A list of the roles assigned to the system.
System Type
The type of system running on the Windows-based computer.
Physical Memory
The total amount of memory installed on the machine.
Processors page
The Processors page contains the following information about the processors on the selected server.
Table 34. Resource Properties pane: Processors page field descriptions
Field
Description
AddressWidth
The size (or width) of the address bus, which indicates the maximum amount of
RAM a processor can address. Possible values include:
Architecture
32: 32-bit operating system
The processor architecture used by the platform. Possible values include:
0: x86
1: MIPS
2: Alpha
3: PowerPC
5: ARM
6: Itanium-based systems
9: x64
Caption
A short description (one line string) for the object.
DataWidth
The size (or width) of the external data bus, which defines the rate at which data
can be moved into or out of the processor. Possible values include:

User Guide
184
Table 34. Resource Properties pane: Processors page field descriptions

Field
Description
ExtClock
The external clock frequency, in MHz.
Family
The processor family type.
L2CacheSize
The amount of cache memory available for the Level 2 processor cache.
L2CacheSpeed
The clock speed, in MHz, of the Level 2 processor cache.
L3CacheSize
The amount of cache memory available for the Level 3 processor cache.
L3CahceSpeed
The clock speed, in MHz, of the Level 3 processor cache.
Manufacturer
The name of the company that manufactured the processor.
MaxClockSpeed
The maximum clock speed, in MHz, for the processor.
Name
The label assigned to the processor.
NumberOfCores
The number of cores for the current instance of the processor.
NumberOfLogical
Processors
The number of logical processors for the current instance of the processor.
OtherFamilyDescription
The processor family type.
ProcessorId
The processor identifier that describes the processor features.
ProcessorType
The primary function of the processor. Possible values include:
1: Other
2: Unknown
3: Central Processor
4: Math Processor
5: DSP Processor
6: Video Processor
Revision
The architecture-dependent system revision level.
Stepping
The revision level of the processor in the processor family.
UniqueId
The globally unique identifier for the processor.
Version
The architecture-dependent processor revision number.
VoltageCaps
The voltage capabilities of the processor. Possible values include:
1: 5 volts
2: 3.3 volts
4: 2.9 volts
Drives page
The Drives page contains the following information about the drives that are configured on the selected server.
Table 35. Resource Properties pane: Drives page field descriptions
Field
Description
DeviceID
The unique identifier assigned to the disk drive.
InterfaceType
The interface type of the physical disk drive.
Manufacturer
The name of the company that manufactured the disk drive.
Model
The manufacturers model number of the disk drive.
Partitions
The number of partitions contained on the physical disk drive.
Size
The size of the disk drive.

User Guide
185
Shares page
The Shares page contains the following information about the shared resources that are configured for the
selected server.
Table 36. Resource Properties pane: Shares page field descriptions
Field
Description
AllowMaximum
The maximum number of concurrent users that can connect to the shared resource.
Caption
A short comment that describes the shared resource.
Name
The alias assigned to the path set up as a shared resource.
Path
The fully qualified path to the shared resource.
Services page
The Services page contains the following information about the services installed on the selected server.
Table 37. Resource Properties pane: Services page field descriptions
Field
Description
Description
A comment that explains the purpose of the service.
DisplayName
The display name used by user interface programs to identify the service.
Name
The unique name assigned to the installed service.
PathName
The fully qualified path of the executable file for the service.
ProcessId
The process identifier of the service.
ServiceType
The type of service provided to calling processes:
StartMode
Kernel Driver
File System Driver
Adapter
Recognizer Driver
Own Process
Share Process
Interactive Process
The start mode of a Windows
base service:
Boot: Device driver started by the operating system loader.
System: Device driver started by the operating system initialization process.
Auto: Service that is to be started automatically by the Service Control

Manager during system startup.
Manual: Service that is to be started by the Service Control Manager when a

process calls the StartService method.
Disabled: Service that cannot be started.

User Guide
186
Table 37. Resource Properties pane: Services page field descriptions

Field
Description
StartName
The name of the account under which the service should run.
State
The current state of the service:
Stopped
Start Pending
Stop Pending
Running
Continue Pending
Pause Pending
Paused
Unknown
Exchange Mailboxes page

For Exchange Mailbox servers, the Exchange Mailboxes page displays a list of the Exchange mailbox databases on
the selected server.
Agent system tray icon

Change Auditor provides an agent icon
in the system tray which can be used to enable/disable or display the
status of the Change Auditor agent installed on the current server.
NOTE: The agent system tray icon is only available for server agents.
Whenever an agent is not active, a status indicator will appear in the lower left corner of this icon to represent
its current status:
Red - inactive
Yellow - initializing
You can load the agent system tray icon using one of the following methods:
Click the Advanced Options tool bar button on the Deployment page to launch the Advanced
Deployment Options dialog. From this dialog, select the Yes option for the Launch ServiceStatusTray on
startup setting.
NOTE: By default, the Do not change option will be selected which indicates that you want to use
the current setting for the agent system tray icon. That is, if you already have it set to launch on
startup it will continue to operate that way. Similarly, it will not launch on startup if this is a clean
install and you have not previously set it up to do so.
Navigate to %ProgramFiles%\Dell\ChangeAuditor\Agent and double-click on the ServiceStatusTray.exe

file.

User Guide
187
By right-clicking on the agent system tray icon, a context menu is displayed which consists of the following
commands:
Table 38. Agent system tray icon: Right-click commands
Command
Description
Agent Status
Use the Agent Status command to display the Change Auditor Agent Status dialog
which assists you in determining if the agent is running, what version is installed,
and how active the agent is. See Change Auditor Agent Status dialog for a full
description of this status dialog.
Enable/Disable Agent
Use the Enable/Disable Agent command to start or stop the Change Auditor agent
service.
Find More Connections /

Retry Connections
Use the Find More Connections command to seek out more coordinators in a
forest than the agent automatically found.
NOTE: An agent automatically connects to a coordinator in its own site. However,
if a coordinator is not available in the site it will then search for a coordinator in
the forest.
When the agent is connected to a coordinator that is not currently running, use
the Retry Connections command to reattempt to connect to a coordinator.
Refresh Configuration
Use the Refresh Configuration command to apply a new agent configuration to

the selected agent.
NOTE: This command only available when the coordinator to which the agent is
connected is running.
Coordinator Credential
Configurator
Use the Coordinator Credential Configurator command to enter the credentials

of the agent that can be used to find and connect to a coordinator in an Active
Directory
forest.
NOTE: This command is only available when you install a Change Auditor agent on
a workgroup server.
View Agent Log
Use the View Agent Log command to launch the log viewer to review the events
recorded in the Change Auditor agent log (ChangeAuditor.dll.nptlog).
For example: %ProgramFiles%\Dell\ChangeAuditor\Agent\ChangeAuditor.dll.nptlog
Load on startup
Use the Load on startup command to automatically load the system tray
application when the Change Auditor agent service starts.
About
Use the About command to display information about the Change Auditor agent
including the installed version number and licensing information.
Exit
Use the Exit command to close the system tray application.

User Guide
188
Change Auditor Agent Status dialog

The Change Auditor Agent Status dialog helps you determine if the Change Auditor agent is running and what
version is installed on the domain controller. The other status information in the dialog is broken down into the
following sections:
Agent Information - displays the status, version number, the coordinator installation name to which the
agent is connected, and the agents database size
Events - displays audit event activity
Coordinator Connection - displays information regarding the connection between the agent and the
Change Auditor coordinators
This dialog contains the following status information:

Table 39. Change Auditor Agent Status dialog: Status information
Field
Description
Agent Information
Agent is
This field displays the current agent status:
Running - the agent service is running
Initializing - the agent service has started but is still initializing
Not Running - the agent service is not currently running
Failed - the agent service failed to initialize
Version
This field displays the current version of the agent installed on the server.
Installation Name
This field displays the installation name assigned to the coordinator to which the agent
is connected.
DB Size (KB)
This field displays the size of the agent database, in kilobytes. This is dependent on the
number of monitored Active Directory , registry and file system objects, and the
number of events queued for transmission to the coordinator. If a coordinator is not
available, this database may become large. When the events are successfully sent to a
coordinator, the database space is re-used for subsequent events, but the displayed
database size will not decrease.
License
This field displays the Change Auditor licenses that are applied. Use the arrow controls
to scroll through the licenses.

User Guide
189

Field
Description
Events
The Events section contains indicators of internal Change Auditor activity and may be used by Dell Support
should they need to diagnose Change Auditor agent problems.
AD Events
If licensed (Change Auditor for Active Directory), this is the number of Active
Directory related events processed by the agent. This field will be blank for agents
running on member servers.
ADAM Events
If licensed (Change Auditor for Active Directory), this is the number of ADAM events
processed by the agent.
Exchange Events
If licensed (Change Auditor for Exchange) and configured, this is the number of
Exchange Mailbox events processed by the agent.
Local Security
Events
If licensed (Change Auditor for Active Directory), this is the number of local user and
group (SAM) events processed by the agent.
File System Events
If licensed (Change Auditor for Windows File Servers) and configured, this is the number
of File System events processed by the agent.
Registry Events
If configured, this is the number of Registry events processed by the agent.
VMware Events
SQL Events
If configured, this is the number of VMware
events processed by the agent.
If licensed (Change Auditor for SQL Server) and configured, this is the number of SQL
Server
NetApp Events
EMC Events
SharePoint Events
If licensed (Change Auditor for NetApp) and configured, this is the number of NetApp
filer events processed by the agent.
If licensed (Change Auditor for EMC) and configured, this is the number of EMC
events
If licensed (Change Auditor for SharePoint) and configured, this is the number of
SharePoint
Other Events
This is the number of events processed by the agent that do not fit into the other
event categories (e.g., Authentication Services events, Service events, etc.).
Logon Events
If licensed (Change Auditor for Logon Activity User), this is the number of user logon
activity events processed by the agent.
SonicWALL Events
If licensed (Change Auditor for SonicWALL) this is the number of SonicWALL events
Exch Online Events
If configured (Change Auditor for Exchange), this is the number of Exchange

Online/Office 365 events processed by the agent.
Excluded Events
If configured, this is the number of events excluded by the agent because they
originated from a user or computer that was defined as an excluded account.
Coordinator Connection
Status
This field displays the current status of the agent/coordinator connection: connected or
not connected.
Coordinators
This field displays the computer name (and SCP port) of the Change Auditor
coordinator(s) to which this agent is currently connected.
NOTE: For more details on agent connection behavior, see Appendix A: Installation
Notes and Best Practices in the Dell Change Auditor Installation Guide.
Last Conf Update
This field displays the time when the agent last downloaded the agent configuration
information/settings.
Events Last Sent
This field provides the local time when the last event was sent. If no events have been
detected by Change Auditor recently, this time may be fairly old.

User Guide
190

Field
Description
Events Sent
This field displays the number of events that have been sent to a coordinator since the
agent was last started.
Acknowledged
This field displays the number of events that a coordinator has acknowledged.
Normally, this value will be the same as the Events Sent. However, it may be smaller if
the coordinator is not running or if a large number of events are being processed by the
coordinator which may be slowing it down. Events may also be lost due to
communication problems, in which case the Change Auditor agent will try to re-send the
events.
Events Waiting
This field displays the number of events in the agent database that are waiting to be
forwarded to a coordinator.
This value should be at or near zero when the server is idle, but can grow if it is busy. If
the value never returns to zero, it may indicate that the agent is having difficulty
communicating with the coordinator service. If this is the case, contact Technical
Support for assistance.
View agent status/statistics

To view agent status/statistics (Overview page):
1
Open the Overview page and if the Top Agent Activity pane is not displayed, click the arrow on the
heading of one of the overview panes and select Top Agent Activity.
This pane displays the top most active Change Auditor agents in your environment, based on the data
range specified.
By default, the agent activity on all servers for the past month, excluding uninstalled agents, will be
displayed. Use the controls at the top of this pane to specify the type of agented objects to be included
as well as the date range.
The values in the Audited Events column are links, which when selected will open up a new Search
Results tab to display the related details for these events.
If the Agent Status pane is not displayed, click the arrow on the heading of one of the overview panes
and select one of the following commands:
Agent Status | Enterprise View
Agent Status | <domain>
By default, this pane will only include active and inactive (installed) agents in the pie chart. You can
however, select the Show Uninstalled Agents check box to include agents that are set as uninstalled in
the pie chart.
Double-clicking the pie chart will display the Agent Statistics page.
To view agent status/statistics (Agent Statistics page):

1
Open the Agent Statistics page.
Click the Refresh button to retrieve updated information.
Click the Show Uninstalled Agents tool bar button to include uninstalled agents. Click the Hide
Uninstalled Agents tool bar button to exclude uninstalled agents from the display.
The values in the different event columns are links, which when selected will open up a new Search

User Guide
191
To view agent status/statistics on the current agent only (agent system tray icon):
NOTE: The agent system tray icon can be loaded using one of the following methods:
Click the Advanced Options tool bar button on the Deployment page to display the Advanced
Deployment Options dialog. From this dialog, select the appropriate Launch ServiceStatusTray on
startup option (Yes or Do not change).
Navigate to %ProgramFiles%\Dell\ChangeAuditor\Agent and double-click the ServiceStatusTray.exe

file.
Right-click the system tray icon and select the Agent Status command.
This will display the Change Auditor Agent Status dialog, which displays agent information (including if
the agent is running), event activity for the agent and coordinator connection information.
Click the OK button on this dialog to close the dialog.
Manage Change Auditor agents

NOTE: You can use the Action | Agent Notifications menu command to hide (or display) the desktop
notifications that are displayed when these processes are performed.
To stop an agent (Agent Statistics page):

1
Select the agent to be stopped and click the Stop Agent tool bar button or right-click command.
NOTE: The Stop Agent command is only available when an agent is Active.
An information message will be displayed, click OK to stop the agent.
In addition, a desktop notification will be displayed in the lower right-hand corner of your screen
explaining that the selected agent is being disconnected from a specific coordinator.
Once disconnected, the agents status will be changed to Inactive on the Agent Statistics page.
If you so choose, click the Set Agent Uninstalled tool bar button or right-click command to flag the
selected agent as Uninstalled.
Click the Show Uninstalled Agents tool bar button to include uninstalled agents in the Agent Statistics
list. Click the Hide Uninstalled Agents tool bar button to exclude uninstalled agents from the display.
To stop an agent (agent system tray icon):

1
From the server where the agent is installed, right-click the agent system tray icon and select Disable
Agent.
On the confirmation dialog, click Yes to stop the agent service.
A message will be displayed explaining that the agent is being stopped.
explaining that the selected agent is being disconnected from a specific coordinator.
Once disconnected, the agent system tray icon will contain a red light
inactive.
indicating that the agent is

User Guide
192
To start an agent (Agent Statistics page):

1
Select a previously stopped agent and click the Start Agent tool bar button or right-click command.
NOTE: The Start Agent command is only available when an agent is Inactive.
An information message will be displayed explaining that it may take a few minutes to start the agent.
Click OK to start the agent.
explaining that the selected agent is being connected to a specific coordinator.
Once connected, the agents status will return to Active on the Agent Statistics page.
To start an agent (agent system tray icon):

1
From the server where the agent is installed, right-click the agent system tray icon and select Enable
Agent.
A message will be displayed explaining that the agent is being started.
explaining that the selected agent is being connected to a specific coordinator.
Once connected, the agent system tray icon will no longer contain a red or yellow button indicating that
the agent is now active.
Agent Log page

A new log page is created whenever the View Agent Log command is selected and displays the event details
recorded in the trace log for the selected agent.
IMPORTANT: For workstation log management (such as Get Logs or View Agent Log), the following must be
enabled on the workstation:
Windows Management Instrumentation (WMI) must be enabled in the firewall rule set (usually
domain) on the workstation
Network Discovery and File Sharing must be enabled
Remote Registry Service must be set to Start Automatically. By default, this service is stopped
and set to Manual for Windows 7 and Windows 8/8.1.
The data grid and event details pane on this page contains the following information for each log entry. The
default column in the table below identifies the fields that are displayed in the data grid by default. To display
different fields, click the Field Chooser button
Table 40. Agent Log page: Field descriptions

Column
Default
Description
File
No
Specifies the name of the source file that logged the message.
Function
No
Displays the name of the function that logged the message.
ID
No
Displays the event ID used to identify the event.

User Guide
193
Table 40. Agent Log page: Field descriptions

Column
Default
Description
Level
Yes
Indicates the severity of the event message:
Info - For your information; does not require attention
Error - events that indicate a problem has occurred; requires attention
Warning - events that warn of potential problems; does not require

immediate attention
Line
No
Specifies the line within the source file that logged the message.
Logger
No
Specifies the logger used to log events.
Message
Yes
Displays the event message that was posted to the log.
Thread
No
Specifies the thread within the source file that logged the message.
Timestamp
Yes
Displays the date and time when the entry was posted to the log.
language setting.
Use the tool bar buttons at the top of the log page to scroll through the log and search for log entries.
Table 41. Agent Log page: Tool bar buttons
Refresh
Use to refresh and reload the log entries from the source file.
NOTE: Not available when the log page is launched using the View
Agent Log command.
Copy
Use to copy the selected content to the clip board. Use with the Select
All button to copy and paste the contents of the entire log into another
application.
Select All
Use to select the entire contents of the log. Use with the Copy button
to copy and paste the contents of the log into another application.
Find:
Enter a specific string of characters or word to be located in the log

and use the Find button to locate the text.
Use to display only the entries that match the word/string of
characters entered in the search text.
Show Matched Entries Only (Ctrl+M)

Match Case
Use to locate entries that match the case as it was entered in the
search text.
Previous
Use to move to the previous entry that contains the search text.
Next
Use to move to the next entry that contains the search text.
Print
Use one of the Print options to print or save the contents of the log.
View and save agent trace logs

To view Change Auditor logs (Statistics page):
1
Open the Statistics page.
Click the Logs | Open Log tool bar button or right-click command.
On the Open Log File dialog, use the controls at the top of the dialog to locate the Change Auditor log to
be viewed. Select the log file and click Open.
This will open a new page in the Change Auditor client which displays the log entries for the selected
log.

User Guide
194
Whenever an entry is highlighted in the top pane, the corresponding details will be displayed in the
Event Details pane across the bottom of the screen.
Use the tool bar buttons as described above to search the log for a specific entry, to copy and paste the
contents of this log for use in another application, and print or save the contents of this log.
To save Change Auditor logs to a specific location (Agent Statistics page):

1
Select one or more agents from the list and click the Logs | Get All Logs tool bar button or right-click
command.
On the Browse for Folder dialog, select the location where the logs for the selected agent(s) are to be
saved. Click the OK button to save your selection.
NOTE: If necessary, use the Make New Folder button to create a new folder for these logs.
To view Agent logs (Agent Statistics page):

1
Select one or more agents from the list and click the Logs | View Agent Log tool bar button or rightclick command.
This will open a new page in the Change Auditor client which displays the selected agents log
(ChangeAuditor.dll.nptlog). If multiple agents were selected, multiple log pages will be created.
In addition, when an error is highlighted in the top pane and there is a call stack available for that error,
an Exception pane will also be displayed.
contents of this log for use in another application, and to print or save the contents of this log.
To view Agent logs (agent system tray icon):

1
On the server where the agent is installed, right-click the Change Auditor agent system tray icon and
select View Agent Logs.
This will launch the log viewer allowing you to review the events recorded in the selected agents log
(ChangeAuditor.dll.nptlog).

User Guide
195
23
Coordinator Statistics and Logs
Introduction
Coordinator Statistics page
Coordinator system tray icon
View coordinator status/statistics
Manage Change Auditor coordinators
Coordinator Log page
View and save coordinator trace logs
Introduction
In addition to the overview information provided in the Coordinator Status pane on the Overview page, Change
Auditor provides two additional means of obtaining coordinator status and statistics:
The Coordinator Statistics page provides a global view of all installed Change Auditor coordinators,
including the current status and other usage statistics for each coordinator.
The Change Auditor Coordinator Status dialog, which is accessed using the Change Auditor coordinator
system tray icon, provides the status and usage statistics for a single coordinator.
You can also view or retrieve coordinator trace logs from the Coordinator Statistics page or by using the
coordinator system tray icon.
This chapter provides a description of the Coordinator Statistics page as well as the Coordinator System tray
component and explains how to use these features to maintain Change Auditor coordinators.
Coordinator Statistics page

Use the View | Statistics | Coordinator menu command (or Shift+F11) to display the Coordinator Statistics
page, which provides a global view of all installed Change Auditor coordinators, including the current status of
the coordinators.
The Coordinator Statistics page may contain the following information for each coordinator. The default column
in the table below identifies the fields that are displayed by default. To display different fields, click the Field
Chooser button
located to the far left of the column headings and select the columns to be displayed:

User Guide
196
Table 42. Coordinator Statistics page: Field descriptions

Column
Default
Description
Agents Connected
Yes
Displays the number of Change Auditor agents to which this coordinator

is connected.
Alerts Last 24 Hours
No
Displays the number of alerted event entries in the last 24 hours of the
coordinator operation.
The value in this field is a hypertext link and when selected displays the
alerts generated in the last 24 hours.
Alerts Last Hour
No
Displays the number of alerted event entries in the last 60 minutes.

alerts generated in the last 60 minutes.
Alerts Today
Yes
Displays the number of alerted event entries since local midnight today.
alerts generated since local midnight today.
Alerts Total
No
Displays the number of alerted events found in the coordinator

database.
The value is this field is a hypertext link and when selected displays the
alerts in the coordinator database.
Alerts Yesterday
No
Displays the number of alerted event entries from local midnight today
to local midnight yesterday.
alerts generated yesterday.
Architecture
No
Displays whether the coordinator is installed in a 32-bit (x86) or 64-bit

(x64) environment.
Client Port
Yes
Displays the port number assigned to the coordinator Service

Connection Point (SCP).
Coordinator
Yes
Displays the computer name of the Change Auditor coordinator.
Coordinator FQDN
No
Displays the fully qualified domain name of the coordinator.
DB Catalog
Yes
Displays the name assigned to the coordinator database during the

coordinator installation.
DB Instance
No
Displays the name of the SQL instance that is being used for the Change
Auditor coordinator database.
DB Size
Yes
Displays the size of the coordinator database, in kilobytes.
Domain
Yes
Displays the name of the domain where the coordinator is located.
No
Displays the number of event entries received from all Change Auditor
agents in the last 24 hours of coordinator operation.
Events Last Hour
No
Displays the number of event entries received in the last 60 minutes of

the coordinator operation.
Events Today
Yes
Displays the number of event entries received since local midnight

today.
Events Total
No
Displays the number of entries found in the coordinator events

database.
Events Yesterday
No
Displays the number of event entries received from local midnight today
to local midnight yesterday.
Forest
No
Displays the name of the forest where the coordinator resides.
Startup Time
No
Displays the date and time when the coordinator was last initialized.

User Guide
197
Table 42. Coordinator Statistics page: Field descriptions

Column
Default
Description
Status
Yes
Displays the current status of the coordinator:
running
initializing
stopped
failed
Uptime
Yes
Displays how long the coordinator has been running.
Version
Yes
Displays the current coordinator version installed on the server.
Coordinator system tray icon

During the coordinator installation process, Change Auditor automatically loads an icon
in the system tray
of each Change Auditor coordinator. This system tray icon allows you to enable/disable the coordinator, display
the status of the coordinator installed on the current machine, and to change the database instance and service
accounts used to access the database. Whenever a coordinator is not active, a status indicator will appear in
the lower left corner of this icon to represent its current status:
Red - inactive
Yellow - initializing
By right-clicking on the Change Auditor coordinator icon in the system tray, a context menu is displayed which
consists of the following commands:
Table 43. Coordinator system tray icon: Right-click commands
Command
Description
Coordinator Status
Use the Coordinator Status command to display the Change Auditor Coordinator
Status dialog which assists you in determining if the coordinator is running, what
version is installed and how active the coordinator is.
See Change Auditor Coordinator Status dialog for a full description of this status
dialog.
Enable/Disable
Coordinator
Use the Enable/Disable Coordinator command to start or stop the Change Auditor
coordinator.
View Coordinator Log
Use the View Coordinator Log command to launch the log viewer to review the
events recorded in the Change Auditor coordinator log
(ChangeAuditor.Service.exe.nptlog).
For example:
%ProgramFiles%\Dell\ChangeAuditor\Service\ChangeAuditor.Service.exe.nptlog
Coordinator
Configuration
Use the Coordinator Configuration command to launch the Coordinator

Configuration Tool which allows you to:
modify the credentials used to access the Change Auditor coordinator

database
specify a static port to be used for communication with the coordinator
specify where the Active Directory /GPO protection templates are to be

stored: SQL (default) or Active Directory
See Coordinator Configuration tool for a description of how to use this utility.
Data Migration Tool
Use the Data Migration Tool command to launch the Data Migration Tool to migrate
legacy 5.x (5.6 or higher) data into a new or upgraded 6.x database or to move 6.x
data into an archive database.
See the Dell Change Auditor Installation Guide for a description of this utility.

User Guide
198
Table 43. Coordinator system tray icon: Right-click commands

Command
Description
Load On Startup
Use the Load on Startup command to automatically load the system tray
application when the Change Auditor coordinator starts.
About
Use the About command to display information about Change Auditor including the
installed version number and licensing information.
Exit
Use the Exit command to close the system tray application.
Change Auditor Coordinator Status dialog

The Change Auditor Coordinator Status dialog helps you determine if the Change Auditor coordinator is running
and what version is installed on the server. The other status information on the dialog is broken down into the
following sections:
Coordinator Information - displays the status, version number, SCP port and installation name for the
coordinator
Database Information - displays the coordinator database server, name and size
Agent Connections to this Coordinator - displays the total number of agents, including legacy (5.x)
agents, that are connected to the coordinator
Events and Alerts on this Coordinator - displays status information regarding events, alerts, and search
activities for this particular coordinator
The Change Auditor Coordinator Status dialog contains the following information:
Table 44. Change Auditor Coordinator Status dialog: Status information
Field
Description
Coordinator Information
Coordinator Status
Displays the current status of the coordinator:
Running
Initializing
Stopped
Failed
This value will normally be Running. If the credentials supplied for the database
access during the Change Auditor coordinator installation are incorrect or have
expired, this field will display Not Running indicating that the coordinator did not
successfully start. If this happens, use the Database Configuration Utility to change the
permissions trying to access the database.
Installation Name
Displays the installation name assigned to the coordinator during installation.
Client SCP Port
Displays the port number assigned to the coordinator Service Connection Point (SCP).
Version
Displays the current version of the coordinator installed on the server.
Database Information
SQL Server
Displays the name of the server where the coordinator resides.
Database Catalog
Displays the name assigned to the coordinator database during the coordinator
installation.
Database Size
Displays the size of the Change Auditor coordinator database, in megabytes.
Agent Connections to This Coordinator

Agents Connected
(Total)
Displays the total number of Change Auditor agents connected to this coordinator.
Legacy Agents
Connected (5.x)
Displays the number of legacy (5.x) Change Auditor agents connected to this
coordinator.
User Guide
199
Table 44. Change Auditor Coordinator Status dialog: Status information

Field
Description
Events and Alerts on This Coordinator

Total Events
Displays the number of events this coordinator has received since it was last started.
Events in Receive
Buffer
Displays the number of events that have not yet been processed by this coordinator
and forwarded to the Change Auditor client.
Average Events Per

Second
Displays the average number of events processed by this coordinator per second.
Coordinator Configuration tool

The Coordinator Configuration tool can be used to modify the credentials used by the Change Auditor
coordinator when accessing the database. The Coordinator Configuration tool is accessed through the Change
Auditor coordinator system tray icon
By right-clicking on the coordinator system tray icon and selecting the Coordinator Configuration command,
the Coordinator Configuration tool appears allowing you to:
modify the credentials to be used to access the Change Auditor database
change the database instance
specify static SCP listening ports to be used to communicate with the coordinator
specify where the Active Directory

Active Directory
and GPO protection templates are to be stored: SQL (default) or
This tool consists of the following tabbed pages:
Security page
Ports page
Protection page
Security page
From the Security page, you can change the database instance and service accounts used to access the
database.
NOTE: If User Account Control (UAC) is enabled, a confirmation dialog appears where you can authorize
the Coordinator Configuration tool to use the required elevated rights.
Use the fields/options on this dialog to enter the credentials to be used to access the designated SQL
Server /instance as described below:
SQL server and instance

Enter the name or IP address of the SQL instance to be used. (i.e., <Server Name>\<Instance Name>).
You can also click the Browse button to locate and select the SQL server and instance.
Name of database Catalog

This text box displays the name assigned to the Change Auditor database.
Connect using
Specify whether Windows authentication or SQL server authentication is to be used when

communicating with the SQL database instance. (The authentication method is set up when SQL is
installed.)
User Guide
200
Windows Authentication - this option is selected by default and will use Windows authentication
to access the database.
SQL Server Authentication - select this option to use SQL Server authentication to access the
database.
Depending on the authentication option selected above, enter the appropriate user credentials.
Login ID
Enter the user name for the account to be used to access the SQL server instance.
Password
Enter the password associated with the user account entered above.
Domain
Enter the domain name for the Windows account to be used to access the designated SQL server
instance. (Only valid for Windows Authentication.)
Ports page
By default, Change Auditor dynamically assigns communication ports for each installed coordinator. However,
using the Ports page of the Coordinator Configuration dialog, you can specify static SCP listening ports to be
used to communicate with the Change Auditor coordinator.
NOTE: If you upgraded from a 5.x installation where static ports were defined, these static ports will be
retained as part of the upgrade process. However, the Agent Port setting, which is new and is used by 6.0
agents, will be set to use a dynamic port. (Note that the 5.x agents now use the Agent Port (Legacy)
setting on this page.) Check with your system administrator to determine whether this new connection
should also be using a static port.
Enter the port(s) to be used to communicate with the coordinator:
NOTE: A zero (0) indicates that a dynamic port is being used. If you have set a static port and wish to use
a dynamic port, change the port number back to 0.
Client Port
Enter the static port number to be used by the Change Auditor client to communicate with the
coordinator.
Public SDK Port

Enter the static port number to be used by external applications to access the Change Auditor
coordinator.
Agent Port (Legacy)

Enter the static port number to be used for communication between a legacy (5.x) Change Auditor agent
and a coordinator.
Agent Port
Enter the static port number to be used for communication between a Change Auditor agent (6.x) and a
coordinator.

User Guide
201
Protection page
By default, Change Auditor stores the Active Directory and GPO protection templates in SQL. However, you
can use the Protection page of the Coordinator Configuration dialog to have Change Auditor store the Active
Directory and GPO protection templates in Active Directory instead of SQL.
NOTE: When you have selected to store your Active Directory and Group Policy protection templates in
Active Directory, you can use the Security feature on the Active Directory Protection page or Group Policy
Protection page to provide an additional layer of security. The additional setting is intended for customers
who require tighter security ACLs on their Active Directory and GPO objects and templates (i.e., the
Change Auditor SQL database may not be fully secured by ChangeAuditor Administrators). For more
information about setting this additional security on protected objects, see the Dell Change Auditor for
Active Directory User Guide.
Specify the appropriate option for storing Active Directory/GPO protection and ADAM (AD LDS) protection:
Store Active Directory/GPO Protection in:

Select one of the following options:
SQL (default)
AD
Store ADAM (AD LDS) Protection in:

Select one of the following options:
SQL (default)
AD
View coordinator status/statistics

To view coordinator status/statistics (Overview page):
1
Open the Overview page and if the Coordinator Status overview pane is not being displayed, click the
arrow button on an overview pane and select one of the following commands:
Coordinator Status | Enterprise View
Coordinator Status | <domain>
This will display a pie chart depicting the current status of all the Change Auditor coordinators installed
in either the entire enterprise or in a selected domain.
2
By default, this pane will only include installed coordinators in the pie chart. You can however, select the
Show Uninstalled Coordinators check box to include uninstalled coordinators in the pie chart.
Double-clicking the pie chart will display the Coordinator Statistics page.
To view coordinator status/statistics (Coordinator Statistics page):

1
Open the Coordinator Statistics page.
Click the Show Uninstalled Coordinators tool bar button to include coordinators set as uninstalled.
Click the Hide Uninstalled Coordinators tool bar button to exclude these coordinators from the display.
The values in the different event columns are links, which when selected will open up a new Search

User Guide
202
To view coordinator status/statistics on current coordinator only (coordinator system tray

icon):
1
From the server where the coordinator is installed, right-click the coordinator system tray icon and
select Coordinator Status.
This will display the Change Auditor Coordinator Status dialog, which displays status and statistics
regarding the coordinator, database, agent connections and events and alerts.
Click the OK button to close this dialog.
Manage Change Auditor coordinators

NOTE: You can use the Action | Agent Notifications menu command to hide (or display) the desktop
notifications that are displayed when these processes are performed.
To stop a coordinator:
1
select Disable Coordinator.
On the confirmation dialog, click Yes to stop the coordinator service.
A message will be displayed explaining that the coordinator is being stopped.
explaining that the selected coordinator is being disabled.
Once disabled, the coordinator system tray icon will contain a red light
coordinator is disabled.
indicating that the
If you so choose, click the Set Coordinator Uninstalled tool bar button or right-click command to flag
the selected coordinator as Uninstalled.
Click the Show Uninstalled Coordinators tool bar button to include uninstalled coordinators in the
Coordinator Statistics list. Click the Hide Uninstalled Coordinators tool bar button to exclude
uninstalled coordinators from the display.
To start a coordinator:
1
select Enable Coordinator.
A message will be displayed explaining that the coordinator is being started.
explaining that the selected coordinator is being started.
Once restarted, the coordinator system tray icon will no longer contain a red or yellow button indicating
that the coordinator is now active.
Coordinator Log page

Two new log pages are created whenever the View Coordinator Log command is selected. These log pages
contain the event details that were recorded in each of these trace logs for the selected coordinator:
Service: CA4xCompat.dll.nptlog - this log includes the messages logged during agent to coordinator
communications.
Service: ChangeAuditor.Service.exe.nptlog - this log includes the messages logged during client to
coordinator communications.
User Guide
203
The data grid and event details pane on this page contains the following information for each log entry. The
default column in the table below identifies the fields that are displayed in the data grid by default. To display
different fields, click the Field Chooser button
Table 45. Coordinator Log page: Field descriptions

Column
Default
Description
File
No
Specifies the name of the source file that logged the message.
Function
No
Displays the name of the function that logged the message.
ID
No
Displays the event ID used to identify the event.
Level
Yes
Indicates the severity of the event message:
Line
No
Info - For your information; does not require attention
Error - events that indicate a problem has occurred; requires attention
Warning - events that warn of potential problems; does not require

immediate attention
Specifies the line within the source file that logged the message.
Logger
No
Specifies the logger used to log events.
Message
Yes
Displays the event message that was posted to the log.
Thread
No
Specifies the thread within the source file that logged the message.
Timestamp
Yes
Displays the date and time when the entry was posted to the log.
language setting.
Use the tool bar buttons at the top of the log page to scroll through the log and search for log entries.
Table 46. Coordinator Log page: Tool bar buttons
Refresh
Use to refresh and reload the log entries from the source file.
NOTE: Not available when the log page is launched using the View
Coordinator Log command.
Copy
Use to copy the selected content to the clip board. Use with the Select
All button to copy and paste the contents of the entire log into another
application.
Select All
Use to select the entire contents of the log. Use with the Copy button
to copy and paste the contents of the log into another application.
Find:
Enter a specific string of characters or word to be located in the log

and use the Find button to locate the text.
Use to display only the entries that match the word/string of
characters entered in the search text.
Show Matched Entries Only (Ctrl+M)

Match Case
Use to locate entries that match the case as it was entered in the
search text.
Previous
Use to move to the previous entry that contains the search text.
Next
Use to move to the next entry that contains the search text.
Print
Use one of the Print options to print or save the contents of the log.

User Guide
204
View and save coordinator trace logs

To view Change Auditor logs (Statistics page):
1
Open the Statistics page.
Click the Logs | Open Log tool bar button or right-click command.
On the Open Log File dialog, use the controls at the top of the dialog to locate the Change Auditor log to
be viewed. Select the log file and click Open.
This will open a new page in the Change Auditor client which displays the log entries for the selected
log.
contents of this log for use in another application, and print or save the contents of this log.
To save Change Auditor logs to a specific location (Coordinator Statistics page):

1
Select a coordinator from the list and click the Logs | Get All Logs tool bar button or right-click
command.
On the Browse for Folder dialog, select the location where these logs are to be saved. Click the OK
button to save your selection.
NOTE: If necessary, click the Make New Folder button to create a new folder for these logs.
To view the coordinator log (Coordinator Statistics page):

1
Select a coordinator from the list and click the Logs | View Coordinator Log tool bar button or rightclick command.
This will open a new page in the Change Auditor client which displays the log entries in the Change
Auditor coordinator log (ChangeAuditor.Service.exe.nptlog).
In addition, when an error is highlighted in the top pane and there is a call stack available for that error,
an Exception pane will also be displayed.
contents of this log for use in another application, and to print or save the contents of this log.
To view the coordinator log (coordinator system tray icon):

1
select View Coordinator Log.
This will launch the log viewer, allowing you to review the entries recorded in the Change Auditor
coordinator log (ChangeAuditor.Service.exe.nptlog).

User Guide
205
A
Change Auditor Commands
This appendix lists the commands available throughout the Change Auditor client. The tables in this appendix
list the following commands that are available throughout the entire client:
Menu commands
Tool bar buttons
Right-click commands
Menu commands
The Change Auditor menus follow the same convention as standard Windows menus. That is, commands are
grouped under a menu on the menu bar. Some of these commands perform an action immediately; others
display an additional dialog or launch a wizard where you select various options or specify additional
information.
The following table provides a description of the commands available under each of the Change Auditor menus.
Table 47. Menu commands
Menu command
Shortcut key
Description
Ctrl+O
Use to display the Connection screen to select the connection

profile to be used to connect to a Change Auditor coordinator.
File Menu
Connect
This command is only available when the client is disconnected

from a coordinator.
Disconnect
Ctrl+D
Use to disconnect from the current coordinator.
Open Log
Use to view one of the Change Auditor log files. Selecting this
command will display the Open Log dialog allowing you to select
the log file to be viewed. Once selected, a new tabbed page will
be created in the Change Auditor client displaying the entries
logged in the selected log.
Open Client Log
Use to view the current Change Auditor client log. A new tabbed
page will be created in the Change Auditor client displaying the
entries logged to the current client log.
Print
Ctrl+P
Use to send the contents of the displayed page to the designated

printer. When you select this command, the native Print dialog
will be displayed allowing you to specify various print options.
Print to File
Ctrl+Shift+F
Use to save the contents of the displayed page to either an
Excel (.xls) or comma delimited (.csv) file. When you select this
command, the native Save As dialog will be displayed allowing
you to specify the location, file name and type of file to be
created.
Print to PDF
Ctrl+Shift+D
Use to save the contents of the displayed page to a PDF file.

When you select this command, the native Save As dialog will be
displayed allowing you to specify the location and file name.
User Guide
206

Menu command
Shortcut key
Description
Print Preview
Ctrl+Shift+P
Use to preview the contents of the displayed page prior to

printing it.
Page Setup
Ctrl+Shift+U
Use to define the page settings for printing. Selecting this

command will display the native Page Setup dialog allowing you
to define the paper, page orientation and margins.
Exit
Ctrl+Q
Use to close the Change Auditor client.
Cut
Ctrl+X
Use to move the selected item (folder or search definition) to a

different location in the explorer view (left pane) on the Searches
page. Once cut, this item can then be pasted (or moved) to
another location.
Copy
Ctrl+C
Use to copy the selected item (folder or search definition) to

another location in the explorer view (left pane) on the Searches
page. Once copied, a copy of this item can be pasted to another
location.
Paste
Ctrl+V
Use to paste the contents of the clipboard (folder or search

definition) to the selected location.
Edit Menu
Delete
Use to remove the selected user-defined item (folder or search

definition).
Move
Use to move the selected item (folder or search definition) to

another location in the explorer view (left pane) on the Searches
page. Selecting this command will display the Select the
Destination Folder dialog allowing you to select the new location.
Action Menu
Refresh
F5
Use to retrieve and redisplay current data.
Autofit Columns
to Contents
Ctrl+F
Use to resize the columns based on the content, which will

eliminate the scroll bars.
Reset Display
Use to close multiple client windows and return to a single client

window.
Show XML Tab
Use to display the XML tab, which displays the XML representation
of a selected search criteria, at the end of the Search Properties
tabs.
NOTE: This command is only available from the Searches page
and a Search Results page.
Show SQL Tab
Use to display the SQL tab, which displays the SQL query built to
run a selected search, at the end of the Search Properties tabs.
NOTE: This command is only available from the Searches page
and a Search Results page.
Auto Connect
Use to enable or disable the auto connect feature. When enabled,

the Connection Profile dialog will not be displayed when the
client is launched. Instead, the previously specified connection
profile will automatically be used to connect to the coordinator.
Agent
Notifications
Use to hide (or display) the desktop notification that is displayed

in the lower right-hand corner of the screen whenever an agent is
connected or disconnected from the Change Auditor coordinator,
or when the coordinator is stopped or started.
NOTE: Agent Notifications is enabled by default.

User Guide
207

Menu command
Shortcut key
Agent Auto
Refresh
Description
Use to enable or disable the refreshing of the currently displayed
grid (on the Deployment, Overview or Agent Statistics page) when
an agent either connects or disconnects.
NOTE: Agent Auto Refresh is enabled by default.
Hide Unlicensed
Components
Use to hide unlicensed components from the Administration Tasks

tab and unlicensed events throughout the client.
NOTE: This command is only available from the Administration
Tasks tab.
NOTE: This feature only applies to users who have never had a
specific product license (e.g., Change Auditor for Exchange).
Users who had a trial license that has expired, will not be able to
hide components. This is so that you can continue to search for
events that may have occurred during your trial period.
Export
Use to export the Administration settings, such as configurations

and settings, and auditing and protection templates, into an XML
file. Selecting this command displays an Export dialog allowing
you to select the settings/templates to be exported.
Tasks tab.
Import
Use to import previously exported Administration settings.

Selecting this command displays an Import dialog allowing you to
select the settings/templates to be imported.
Tasks tab.
View Menu
Deployment
Ctrl+F8
Use to display the Deployment page, from which you can deploy
Change Auditor agents.
Overview
Ctrl+F9
Use to display the Overview page, which displays the results of

your favorite search as well as an overview of the following
information:
Top agent activity
Recent event activity
Count of events by event class, facility, location, severity,

result or subsystem
Agent status for the entire enterprise or individual domain
Coordinator status for the entire enterprise or a single

domain
Alert history counts
Searches
Ctrl+F10
Use to display the Searches page, from which you can run
searches, define new searches and enable alerting.
Statistics | Agent
Ctrl+F11
Use to display the Agent Statistics page which provides a global

view of all your agents, providing you with their current status
and statistics.
Statistics |
Coordinator
Shift+F11
Use to display the Coordinator Statistics page which provides

coordinator status, database information and agent connection,
event and alert data.
Administration
Ctrl+F12
Use to display the Administration Tasks tab which provides a

single location where you can perform various administrative
tasks related to configuring Change Auditor, customizing the
auditing process and defining protection.
Close All Windows
Use to close all open windows.

User Guide
208

Menu command
Shortcut key
List of open
windows
Description
The remainder of this menu lists all of the windows that are
currently opened in the Change Auditor client. A check mark to
the left of a window indicates the window that is currently
active.
Help Menu
About
Use to display the Dell Change Auditor dialog which displays the
following information:
The About tab displays the current version, patent,

trademark and copyright statements.
The License tab provides license compliance information.
The Legal Notices tab displays acknowledgments for thirdparty components that are used in Change Auditor
The Contact tab provides contact information for

technical support, product questions and sales.
Select the Participate in the Change Auditor Software

Improvement Program check box to participate in the Dell
Software Improvement Program, which provides generalized
metrics on how you are using Change Auditor to the product
team. Clear this check box to stop participating in this program.
Feedback
Contents
Use to access product forums to provide feedback on using

Change Auditor and to collect system logs that can be sent to
Dells Technical Support to assist in troubleshooting your case.
F1
Use to display the contents and initial screen of the Change

Auditor online help.
Tool bar buttons

The following table lists all of the commands available on the various tool bars in the Change Auditor client. It
lists the commands/buttons in alphabetical order and provides a brief description of each command.
NOTE: When a tool bar button contains an arrow to the far right, this indicates that you can expand the
button to select an additional command.
Table 48. Tool bar buttons
Tool bar button
Description
Change Auditor pages
Add
Depending on the page, use to add an entry to a

search criteria list, add an object to an auditing
list, define a new template, create a scheduled
purge job, etc.
Most Administration
Tasks pages
Use the Add options as defined below:
Application User
Interface page
Add
Add Role Definition
Add Role Definition - use to define a new

role defining who is authorized to perform
the selected tasks and/or operations.
Add Task Definition - use to define a new

task defining the operations that can be
performed.
Add Application Group - use to define a new

Authorization Manager Application Group.
Add Task Definition

Add Application
Group

User Guide
209

Tool bar button
Description
Add
Use to add an entity (subsystem, event class, object What tab

class, severity or results) to the What search
criteria list or purge criteria.
Subsystem
Event Class
Object Class
Severity
Results
Add with Events
Use to add an entity that already has an event

associated with it in the coordinator database to
the What search criteria list or purge criteria.
What tab
Use to add an entity that already has an event

associated with it in the coordinator database to
the search or purge criteria.
Who tab
Add | Add Wildcard

Expression
Use to specify a wildcard expression for the search

criteria or purge criteria.
Who tab
Add | Exclude
Use to exclude a mailbox from Exchange auditing.
Exchange Mailbox
Auditing page
Subsystem
Event Class
Object Class
Severity
Results
Add with Events
Add | Select Multiple

Objects
Advanced Options |
Advanced Options
Advanced Options |
ActiveRoles Integration
Deploy Scripts Only
Where tab
Origin tab
Use to define custom Active Directory and ADAM

auditing - defining the objects, classes and/or
attributes to be audited by Change Auditor.
Use to display the Advanced Deployment Options
dialog where you can view or modify the following
settings:
Specify Agent Installation Location
Specify a Custom Share on the Remove

Server
Launch ServiceStatusTray of startup
Restart Agent on failure
Specify a Group Policy Backup
Where tab
Active Directory Auditing

page
ADAM (AD LDS) Auditing
page
Deployment page
Use the ActiveRoles Integration options as described Deployment page

below:
Deploy Scripts Only - use to copy and run

the ARS integration scripts on the ARS
server. These scripts instruct ARS to capture
the initiator information for all users and
pass this information onto Change Auditor.
Deploy Scripts and Excluded Accounts - use

to specify user and computer accounts that
are to be excluded from this integration.
Change Auditor then deploys the ARS
integration scripts that signal ARS to retrieve
the initiator information for all users except
for those specified for exclusion.
Deploy Scripts and

Excluded Accounts
Refer to the Dell Change Auditor Installation

Guide for more information on One Identity
ActiveRoles Server integration.
User Guide
210

Tool bar button
Description
Alert Properties
Use to display the Alert properties across the

bottom of the Alert History page.
Alert History page
Apply Changes
Use to save your coordinator configuration settings. Coordinator

Configuration page
Assign
Use to assign an agent configuration to the selected Agent Configuration page

agents or to assign a template to an agent
Excluded Accounts
configuration.
Auditing page
SQL Auditing page
page
SonicWALL Auditing
pages
File System Protection
page
Comments
Use to enter a comment for the selected event.
Configurations
Use to display the Configuration Setup dialog to

add, edit or delete agent configuration definitions.
Event Details pane
Connect To
Use this button to select the domain controller to

be used to apply ACLs or to revert back to the
clients default global catalog.
NOTE: This button is available only when you have
selected to save your Active Directory and Group
Policy protection templates to Active Directory
using the Protection tab of the Coordinator
Configuration tool.
Copy
Use to copy the displayed event details to the

clipboard.
Active Directory
Protection page
Group Policy Protection
page
Log pages
Event Details pane
SQL tab
XML tab
Credentials
Use to set, clear or test the credentials to be used

for installing agents on the selected domain.
Deployment page
Default
Use to reset the severity and enabled settings of

the selected events back to the factory defaults.
Audit Events page
Default All
Use to reset all agent configurations back to the

default configuration.
Set
Clear
Test

User Guide
211

Tool bar button
Description
Delete
Use to remove the selected entry from the list.
Application User
Interface page
Member of Group
Auditing page
Excluded AD Query
Auditing page
Exchange Mailbox
Auditing page
Purge Jobs page
Report Layouts page
Who tab
Where tab
Origin tab
Delete | Delete
Administration Account
Use to remove the selected administration account Active Directory

from an Active Directory, ADAM (AD LDS), or Group Protection page
Policy protection template.
ADAM (AD LDS)
Protection page
page
Delete | Delete Agent
Use to remove the selected Change Auditor agent

from an EMC
or NetApp auditing template.
EMC Auditing page

NetApp Auditing page
Delete | Delete Excluded

Account
Use to remove the selected account from an

Excluded Accounts auditing template.
Excluded Accounts
Auditing page
Delete | Delete File Path
Use to remove the selected file path from a File

System auditing or protection template, an EMC
auditing template or a NetApp auditing template.

page
EMC Auditing page
NetApp Auditing page
Delete | Delete Object
Use to remove the selected object from custom

Active Directory or ADAM auditing; an Active
Directory, ADAM (AD LDS) or Group Policy protection
template.

& Protection pages
& Protection pages
page
Delete | Delete Object Class Use to remove the selected object class from the
Active Directory or ADAM (AD LDS) auditing list.

page
page
Delete | Delete Override

Account
Use to remove the selected override account from a Protection pages

protection template.
Delete | Delete Path
Use to remove the selected path from the auditing

template.
SharePoint Auditing page
Delete | Delete Registry Key Use to remove the selected registry key from a
Registry auditing template.
Delete | Delete Service
Service Auditing page
Use to remove the selected service from a Service

auditing template.
Delete | Delete SQL Instance Use to remove the selected SQL instance from a SQL SQL Auditing page
auditing template.

User Guide
212

Tool bar button
Description
Delete | Delete Template
Use to remove the selected auditing or protection

template.
Auditing pages
Delete Criteria
Use to remove the selected entry from the What

search criteria list.
What tab
Design Report
Use to launch the report designer to create a

custom report layout for a selected search query.
Report tab
Disable
Use to disable the selected events.
Event Details pane
Protection pages
Audit Events page

Disable Alert
Used to disable a private alert.
Private Alerts and

Reports page
Disable Report
Used to disable a private report.
Private Alerts and

Reports page
Edit
Use to modify the selected item.
Most Administration
Tasks pages, including:
Purge Jobs page
Report Layouts
page
Application User
Interface page
Auditing pages
Protection pages
Edit Event Class
Use to modify the selected entry in the What search What tab
criteria list.
Edit Logon
Use to modify the type of logons included in a logon What tab

search.
Email
Use to launch the configured email client to email

the selected event details.
Event Details pane
Enable
Use to enable the selected events.
Audit Events page

Event Details pane
Event Details
Use to display the Event Details pane across the

Overview page
bottom of the Overview pane, Search Results page, Search Results page
or Alert History page.
Alert History page
Event Logging
Use to enable or disable event logging.
Explorer View
Use to show the explorer view in the left-hand pane Searches page
of the Searches page.
Find
Use to search for text in the currently displayed

Log pages
trace log. Enter a word or string of characters to be
located.
Force Refresh
Use to force a topology harvest refresh to discover

new servers added to the Active Directory forest
and display them on the Deployment page.
Deployment page
NOTE: Topology scan takes a long time when the

environment contains a large number of
workstations.
Grid View
Use to hide the explorer view and display only the

Searches list on the Searches page.
Searches page

User Guide
213

Tool bar button
Description
Hide Properties
Use to hide the Search Properties tabs across the

bottom of the Searches page.
Searches page
Use to hide the Resource Properties pane across the

bottom of the Agent Statistics page.
Hide Uninstalled Agents
Use to remove uninstalled agents from the current

Agent Statistics view.
Hide Uninstalled
Coordinators
Use to remove uninstalled coordinators from the

current Coordinator Statistics view.
Coordinator Statistics
page
High/Medium/Low
Use to change the severity level assigned to the

selected events.
Audit Events page
Install or Upgrade
Use to install or upgrade a Change Auditor agent on Deployment page

the selected servers.
Knowledge Base
Use to display the associated Event Reference

Guide.
Audit Events page
Use the Log options as described below:
Logs
Open Log
Get All Logs

View Agent Log
Event Details pane
Open Log - use to retrieve a Change Auditor Agent Statistics page

trace log file and display it in the Change
Auditor client.
page
Get All Logs - use to retrieve any associated Deployment page
logs and save them to a specified location on
the local machine.
View Agent Log - use to display the current

Change Auditor agent trace log in the
Change Auditor client.
View Coordinator Log - use to display the

current coordinator trace log in the Change
Auditor client.
Match Case
Use to locate log entries that match the case that

was entered in the search text.
Log pages
New
Use the New options as described below:
Searches page
New Folder
New Folder - use to create a new folder in

the explorer view of the Searches page.
New Search - use to create a new search

definition.
New Search
New Servers
Use to enable or disable the automatic deployment Deployment page

of agents to new servers found in your Active
Directory forest.
Next
Use to move to the next log entry that contains the Log pages
search text.
Overviews
Use to display the Overview panes across the

bottom of the Overview page.
Preview Changes
Use to run the search based on the changes made to Search Properties tabs
the search query and display the results in the
(Search Results page)
current Search Results page.
Preview Report
Use to display a query results report.
Previous
Use to move to the previous log entry that contains Log pages
the search text.
Overview page
Report tab

User Guide
214

Tool bar button
Description
Print
Use the print options to print or save the contents

of the displayed page.
All pages
Print
Print to File
Print to PDF
Print Preview
Print - use to send the contents of the active

page to a designated printer.
Print to File - use to save the contents of

the active page to either an Excel
comma delimited (.csv) file.
Page Setup
Refresh
(.xls) or
Print to PDF - use to save the contents of

the active page to a PDF file.
Print Preview - use to display the print

layout of the active page prior to printing it.
Page Setup - use to define the page settings

for printing.
Use to retrieve and display the latest data

available.
Overview page
Use to retrieve the current agent configuration

assignments.
Refresh Status
Use to refresh the deployment status of the

selected servers.
Deployment page
Related Search
Use to view additional details about the user who

initiated the change, view resource details about
the machine where the change occurred, or run
related searches based on the who, where, what,
when or origin of an event.
Event Details pane
Restart Agent
Use to stop and then restart a Change Auditor

agent. This button is only available when an agent
is in an active state.
Restore Value
Use to restore the current value (To value) to a its

previous value (From value).
Event Details pane
Log pages
NOTE: Applies to 6.x events reporting Active

Directory attribute changes only.
Run
Use to run the selected search and display the

events returned in a new Search Results page.
Searches page
Save
Use to save a newly created search or modifications Search Properties tabs

made to a search definition.
Save As
Use the Save As options as described below:
Save As
Save As - use to save the search definition

using a different name and/or location.
Save As Default - use to save the search

definition as the new default for creating
new searches.
Save As Default
Search Properties
Use to display the Search Properties tabs across the Search Results page
bottom of the page.
Select All
Use to select all the entries in the currently

displayed trace log, which can then be copied for
use in another application.
Log pages
Set Agent Uninstalled
Use to flag the selected Change Auditor agent as

uninstalled.
NOTE: This button is only available when the

selected agent is in an active state.
User Guide
215

Tool bar button
Description
Set Coordinator Uninstalled
Use to flag the selected Change Auditor coordinator Coordinator Statistics

page
as uninstalled.
NOTE: This button is only available when the

selected coordinator is in an active state.
Shared Mailboxes
Use to view automatically detected shared

mailboxes or to define a shared mailbox on the
Exchange Mailbox auditing page.
Exchange Mailbox
Auditing page
Show Matched Entries Only
Use to display only the log entries that match the

word/string of characters entered in the search
text.
Log pages
Show Properties
Use to display the Search Properties tabs across the Searches page
bottom of the Searches page.
Use to display the Resource Properties pane across
the bottom of the Agent Statistics page.
Use to include uninstalled agents in the current

Agent Statistics view.
Show Uninstalled
Coordinators
Use to include uninstalled coordinators in the

current Coordinator Statistics view.
page
Start Agent
Use to start a stopped Change Auditor agent. This

button is only available when an agent is in an
inactive state.
Stop Agent
Use to stop a Change Auditor agent. This button is Agent Statistics page
only available when an agent is in an active state.
Test SMTP
Use to generate a test email based on the

configuration information entered in the SMTP
Configuration pane.
Coordinator
Configuration page
Test SNMP
Use to generate a test SNMP trap based on the

configuration information entered in the SMTP
Configuration pane.
Coordinator
Configuration page
Uninstall
Use to uninstall the Change Auditor agent from the

selected servers.
Deployment page
Right-click commands
The following table lists the commands which are available through right-click functionality. The commands are
listed in alphabetical order with a reference to the pages from which they can be accessed.
Table 49. Right-click commands
Command
Present on the following pages
Add Application Group
Administration Tasks tab:
Add Task Definition
Add Role Definition
Application User Interface Authorization - Role
Application User Interface Authorization - Member

User Guide
216

Command
Alert
Searches page - Search definition (right pane)
Enable Transport
SMTP
NOTE: The History and Delete History options are only displayed when
alerting has been enabled for a search.
SNMP
WMI
Disable Transport
SMTP
SNMP
WMI
Disable Alert
History
Delete History
All Results
Assign
Assign to Configuration
Audit Events - event

Agent Configuration
Excluded Accounts Auditing - template or account
File System Auditing - template or file path
File System Protection - template or file path
Registry Auditing - template or registry key
Services Auditing - template or service
SQL Auditing - template or instance
SQL Data Level Auditing - template
SonicWALL Cloud Storage Auditing - template or cloud site
SonicWALL Web Site Auditing - template or web site
Audit
Exchange Mailbox Auditing page - excluded mailbox
Clear Result
Deployment page - agent
Collapse All
Searches page - folder (left pane)
Comments
Overview page - event (data grid)

Search Results page - event (data grid)

User Guide
217

Command
Copy
Coordinator Configuration - text boxes
Excluded Accounts Auditing - template
File System Auditing - template
Registry Auditing - template
Report Layouts - template
Services Auditing - template
SQL Auditing - template
Event Details pane (text boxes)

Search Properties tabs:
Report tab (text boxes)
Info tab (text boxes)
Searches Results page - event (data grid)

Searches page:
Credentials
Folder (left pane)
Search definition (right pane)
Set
Clear
Test
Cut
Coordinator Configuration (text boxes)
Searches page:
Folder (left pane)

User Guide
218

Command
Delete
Active Directory Auditing - object
Active Directory Auditing - object class
Application User Interface Authorization - role
EMC Auditing - template or file path
Exchange Mailbox Auditing - mailbox
Exchange Mailbox Protection - template or mailbox
Excluded Account Auditing - template or account
Excluded AD Query Auditing - container
NetApp Auditing - template or file path
Purge Jobs - job
SharePoint Auditing - template or path
SonicWALL Auditing - template or site
VMware Auditing - template
Searches page:
Folder (left pane)

User Guide
219

Command
Disable
Active Directory Protection - template or object
Group Policy Protection - template or object
Purge Jobs - job
VMware Auditing - template or host

Disable Alert
Disable Report
Edit
Active Directory Auditing - object or object class
Active Directory Protection - template, object or attribute protection
Application User Interface Authorization - role
Excluded Accounts Auditing - template or account
Purge Jobs - job

User Guide
220

Command
Email
Enable
Administration Tasks Tab:
Active Directory Protection - template or object
Purge Jobs - job

Event Details

Exclude
Exchange Mailbox Auditing page - audited mailbox
Expand All
Export
Searches page:
Hide Properties
Folder (left pane)
Searches page:
Folder (left pane)
Agent Statistics page - agent

High/Medium/Low
Audit Events Auditing
Import Folder
Searches Page - folder (left pane)
Import Search
Searches Page - folder (left pane)
Install or Upgrade
Knowledge Base
Administration Tasks Tab:
Audit Events Auditing


User Guide
221

Command
Logs

Open Log
Coordinator Statistics page - coordinator
Get All Logs
View Agent Log

Move
Searches page:
New
Folder (left pane)
Searches Page:
New Folder
New Search
Folder (left pane)
Overviews
Paste
Searches page:
Folder (left pane)
Publish to Dell Knowledge

Portal
Searches page:
Redo
Folder (left pane)
Search Definition (right pane)
Refresh Status
Rename
Report
Searches page - search definition (right pane)
Agents Configuration
Disable Report
Restart Agent
Run
Scope
Exchange Mailbox Auditing page - audited mailbox

Object
One Level
Subtree
Search Properties
Security
Active Directory Protection page - object

Group Policy Protection page - object

User Guide
222

Command
Select All
Event Details pane - text boxes

Set Agent Uninstalled
Set As My Favorite
Set Coordinator Uninstalled
Coordinator Statistics page - coordinator
Show Properties
Searches page
Folder (left pane)
Search Definition (right pane)
Agent Statistics page -agent

Start Agent
Stop Agent
Success Only
Undo

Uninstall

User Guide
223
B
Change Auditor Email Tags
The Alert Body Configuration dialog allows you to edit the plain text and the HTML representation of alert
emails. It consists of the following tabbed pages:
Preview - is for previewing a sample of what your customized email will look like.
Main Body - to define the overall content and layout of the alert email body.
Event Details - to define the details to be included for each event included in the alert email.
Signature - to define the signature line to be included.
The text entered in the these tabs is sent when the alert triggers, with the exception of the variable tags
(%xxx%). These tags are used to retrieve information from Change Auditor. The following tags are used and
should NOT be modified.
Table 50. Tags valid in the Main Body tab
Email Tag:
Description:
%ALERT_COORDINATOR_DOMAIN%
The name of the domain where the coordinator that generated the
alert resides.
%ALERT_COORDINATOR_NAME%
The name of the coordinator generating the alert.
%ALERT_NAME%
The name of the alert that fired.
%ALERT_TIME_SENT%
The date and time when the alert fired.
%ALERT_TYPE%
The type of alert: Smart Alert or Alert.
%BATCH_ID%
The batch ID for all alerts grouped into a single smart alert email.
%EVENT_COUNT%
The number of events grouped into a single smart alert email.
%SMART_ALERT%
Indicates whether this is a smart alert email.
%SMART_ALERT_GROUPING%
Indicates whether this is a smart alert email and on a single object.
%SMART_ALERT_OCCURRENCE%
For smart alerts, the occurrence value specified in Send alert when
<nn> Events occur within <nn> <interval>.
%SMART_ALERT_PERIOD%
For smart alerts, the period of time specified in Send alert when
%SMART_ALERT_PERIOD_UNIT%
For smart alerts, the time interval (minutes, hours or days) specified
in Send alert when <nn> Events occur within <nn> <interval>.
Table 51. Tags valid in the Event Details tab

Email Tag:
Description:
%ACTIONNAME%
The action associated with the event (e.g., Modify Attribute).
%AD_SAMACCOUNTNAME%
For Active Directory events, the logon name of the user who
initiated the change event.
%AD_USERPRINCIPALNAME%
For Active Directory events, the user principal name (UPN) of the
user who initiated the change event.
%ADAM_CONFIGURATIONSET%
For ADAM (AD LDS) events, the name of the configuration set that
holds the ADAM instance where the change occurred.

User Guide
224

Email Tag:
Description:
%ADAM_INSTANCENAME%
For ADAM (AD LDS) events, the name of the ADAM instance where the
change occurred.
%ADAM_INSTANCEPORT%
For ADAM (AD LDS) events, the communications port used by the
ADAM instance where the change occurred.
%ADAM_PARTITIONNAME%
For ADAM (AD LDS) events, the name of the directory partition where
the change event occurred.
%ALERT_COORDINATOR_DOMAIN%
The name of the domain where the coordinator that generated the
alert resides.
%ALERT_COORDINATOR_NAME%
The name of the coordinator generating the alert.
%ALERT_NAME%
The name of the alert that fired.
%ALERT_TIME_SENT%
The date and time when the alert fired.
%ALERT_TYPE%
The type of alert: Smart Alert or Alert.
%ATTRIBUTENAME%
For Active Directory and ADAM (AD LDS) events, the name of the
schema attribute that was modified (e.g., displayName).
For File System events, the name of the file or folder attribute that
was modified.
%BATCH_ID%
The batch ID assigned to all alerts grouped into a single smart alert
email.
%COMMENT%
Any comments for the event which were entered using the Comments
feature on the Event Details pane.
%DOMAINCONTROLLER%
Indicates whether the agented server is a domain controller.
%DOMAINDN%
The distinguished name (DN) of the domain to which the Change

Auditor agent that generated the alert belongs.
%DOMAINFQDN%
The fully qualified domain name (FQDN) of the domain to which the
Change Auditor agent that generated the alert belongs.
%DOMAINNAME%
The name of the domain to which the Change Auditor agent that
generated the alert belongs.
%EVENT_COUNT%
The number of events grouped into a smart alert email.
%EVENTCLASSNAME%
The event name.
%EVENTMESSAGE%
The actual event that triggered the alert.
%EVENTSOURCE%
Indicates the application where the change event came from: Change
Auditor, ActiveRoles Server, or GPOADmin.
%EXCHANGE%
Indicates whether the agented server is an Exchange server.
%FACILITYNAME%
The name of the event class facility to which the event belongs (e.g.,
Domain Configuration).
%FORESTNAME%
The name of the forest where the Change Auditor agent that
captured the event resides.
%FS_ATTRIBUTENAME%
For File System events, the name of the attribute that was modified.
%FS_FILENAME%
For File System events, the name of the file that was modified.
%FS_FILESERVER%
For File System events, the name of the server where the file or
folder that was modified resides.
%FS_FILESYSTEMTYPEID%
For File System events, the type of object (File or Folder) that was
modified.
%FS_FOLDERPATH%
For File System events, the full path of the file or folder where the
modification occurred.
%FS_LOGONID%
For File System events, the logon ID of the user who made the
change.

User Guide
225

Email Tag:
Description:
%FS_PRIMARYSID%
For File System events, the SID of the user who made the change.
%FS_PROCESSNAME%
For File System events, the full path of the application responsible
for the change.
%FS_SHARENAME%
For File System events, the name of the local share that was
modified.
%FS_TRANSACTIONID%
For File System Transaction Status Changed events, the identification

number assigned to a transaction.
NOTE: Transaction Status events are only supported on Windows
Server 2008 or newer OS.
%FS_TRANSACTIONSTATUS%
For File System Transaction Status Changed events, the current

status of the transaction.
NOTE: Transaction Status events are only supported on Windows
Server 2008 or newer OS.
%GLOBALCATALOG%
Indicates whether the agented server is a Global Catalog.
%GPO_POLICYCANONICAL%
For Group Policy events, the canonical name (CN) of the group policy
that was modified.
%GPO_POLICYITEM%
For Group Policy events, the group policy item that was modified.
%GPO_POLICYNAME%
For Group Policy events, the name of the group policy that was
modified.
%GPO_POLICYSECTION%
For Group Policy events, the section of the group policy that was
modified.
%INITIATORMAIL%
For events generated by One Identity ActiveRoles Server or

GPOAdmin, the email address of the user that initiated the change
event.
%INITIATORSID%

GPOAdmin, the SID of the user that initiated the change event.
%INITIATORUSERNAME%

GPOADmin, the name of the user that initiated the change event.
%IPADDRESS%
The IP address of the Change Auditor agent that generated the alert.
%LDAP_ATTRIBUTES%
For AD Query events, the attributes that were queried.
%LDAP_ELAPSED%
For AD Query events, how long the AD query took to run.
%LDAP_FILTER%
For AD Query events, the filter string used in the AD query.
%LDAP_OCCURRENCES%
For AD Query events, the number of times the AD query occurred

during the specified interval.
%LDAP_RESULTS%
For AD Query events, the number of results returned as a result of

the query.
%LDAP_SCOPE%
For AD Query events, the scope of coverage: This object only or This
object and all children.
%LDAP_SINCE%
For AD Query events, the date and time when the AD query was first
initiated.
%LDAP_TYPE%
For AD Query events, the type of query: LDAP or GC.
%LOGON_DURATION%
For Logon Session events, how long the user session lasted or how
long the user was actually logged onto the computer (depends on the
event).
%LOGON_END%
For Logon Session events, the date and time when the user logged
out of the computer.
%LOGON_SESSIONEND%
For Logon Session events, the date and time when the current user
session ended.
User Guide
226

Email Tag:
Description:
%LOGON_SESSIONSTART%
For Logon Session events, the date and time when the current user
session began.
%LOGON_START%
For Logon Session events, the date and time when the user initially
logged onto the computer.
%LOGON_TYPE%
For Logon Activity events, the type of logon that occurred:
%OBJECTCANONICAL%
Domain Authentication
Interactive
Remote Interactive
For Active Directory and ADAM (AD LDS) events, the canonical name
of the object that was modified.
For Group Policy events, the canonical name of the group policy that
was modified.
For AD Query events, the LDAP object canonical name of the object
that was queried.
%OBJECTCLASS%
For Active Directory and Exchange events, the object class that was
modified (e.g., groupPolicyContainer).
For ADAM (AD LDS) events, the object class that was modified (e.g.,
container, user, group).
For AD Query events, the object class that was queried.
%OBJECTNAME%
For Active Directory and Exchange events, the name of the object
that was modified.
For ADAM (AD LDS) events, the distinguished name of the object that
was modified.
For Group Policy events, the name of the group policy that was
modified.
For AD Query events, the name of the object that was queried.
%ORGANIZATIONALUNIT%
For Active Directory and ADAM (AD LDS) events, the OU associated
with the object that was modified.
For Group Policy events, the name of the OU that is linked to the
group policy that was modified.
For AD Query events, the name of the OU associated with the LDAP
query.
%OSVERSION%
Indicates the operating system version of the machine where the

%REGISTRYKEY%
For Registry events, the name of the registry key that was modified.
%REGISTRYVALUE%
For Registry events, the registry value that was modified.
%RESULTNAME%
Indicates the result of the operation mentioned in the event:
Success
Protected
Failed
None
%SAM_PRINCIPALNAME%
The logon name of the local account that initiated the change event.
%SAM_PRINCIPALTYPE%
The type of local account that initiated the change event.
%SERVERDN%
The distinguished name (DN) of the agented server that captured the
event.
%SERVERFQDN%
The fully qualified domain name (FQDN) of the agented server that
captured the event.
%SERVERNAME%
The name of the agented server where the change occurred.

User Guide
227

Email Tag:
Description:
%SERVEROU%
The name of the organizational unit where the agented server

resides.
%SERVICE_DISPLAYNAME%
For Service events, the display name of the service that was
modified.
%SERVICE_NAME%
For Service events, the name of the service that was modified.
%SEVERITYNAME%
The severity assigned to the change event: High, Medium or Low.
%SHAREPOINT_FARMNAME%
For SharePoint events, the name of the SharePoint farm where the
%SHAREPOINT_ITEMNAME%
For SharePoint events, the name of the SharePoint item (e.g.

document, folder, list item) that was modified.
%SHAREPOINT_ITEMURL%
For SharePoint events, the URL of the SharePoint item that was
modified.
%SHAREPOINT_LISTNAME%
For SharePoint events, the name of the SharePoint list that was
modified.
%SHAREPOINT_LISTPATH%
For SharePoint events, the full path of the SharePoint list where the
%SHAREPOINT_WEBNAME%
For SharePoint events, the name of the web site where the
%SHAREPOINT_WEBURL%
For SharePoint events, the URL of the web site where the
%SIGNSEAL%
For Active Directory and AD Query events, indicates whether the

LDAP operation or LDAP query is signed using Kerberos-based
encryption.
%SITEDN%
The distinguished name (DN) of the site where the agented server
resides.
%SITENAME%
The name of the site where the agented server resides.
%SMART_ALERT%
Indicates whether this is a smart alert email.
%SMART_ALERT_GROUPING%
Indicates whether this is a smart alert email and on a single object.
%SMART_ALERT_OCCURRENCE%
For smart alerts, the occurrence value specified in Send alert when
%SMART_ALERT_PERIOD%
For smart alerts, the period of time specified in Send alert when
%SMART_ALERT_PERIOD_UNIT%
For smart alerts, the time interval (minutes, hours or days) specified
in Send alert when <nn> Events occur within <nn> <interval>.
%SONICWALL_AUTHTYPE%
For SonicWALL alerts, the user authentication type (SSO, NTLM,

local) used to access the web or cloud storage site.
%SONICWALL_DURATION%
For SonicWALL alerts, the time span between the activity start time
and the activity end time.
%SONICWALL_END%
For SonicWALL alerts, the date and time when the activity ended.
%SONICWALL_SITEAPCATEGORY%
For SonicWALL alerts, the application category for the site where the
activity occurred.
%SONICWALL_SITEAPPNAME%
For SonicWALL alerts, the application name for the site where the
activity occurred.
%SONICWALL_SITECLOUD%
For SonicWALL Cloud Storage alerts, the name of the cloud storage
site (for example, Dropbox) where the activity occurred.
%SONICWALL_SITECOUNTRY%
For SonicWALL Web Site alerts, the IP address Geo-IP country

location for the site where the activity occurred.

User Guide
228

Email Tag:
Description:
%SONICWALL_SITEDOMAIN%
For SonicWALL alerts, the name of the sites domain where the
activity occurred.
%SONICWALL_SITEFULLURLS%
For SonicWALL alerts, a list of the full URL(s) of the site where the
activity occurred.
%SONICWALL_SITEIP%
For SonicWALL alerts, the IP address of the site where the activity
occurred.
%SONICWALL_SITENAME%
For SonicWALL Cloud Storage alerts, the web site name of the cloud
storage site (for example, www.dropbox.com) where the activity
occurred.
%SONICWALL_SITEPORT%
For SonicWALL alerts, the port number (80, 443, etc.) of the site
where the activity occurred.
%SONICWALL_SITEZONE%
For SonicWALL alerts, the zone name (e.g., LAN or WAN) of the site
where the activity occurred.
%SONICWALL_START%
For SonicWALL alerts, the date and time when the activity started.
%SONICWALL_USERZONE%
For SonicWALL alerts, the zone name (e.g., LAN or WAN) of the user
who initiated the activity.
%SQL_APPLICATIONNAME%
For SQL events, the name of the client application that initiated the
change event.
%SQL_CLIENTPROCESSID%
For SQL events, the identification number associated with the client
process that initiated the change event.
%SQL_DATABASEID%
For SQL events, the identification number associated with the SQL
database used by the process that initiated the change event.
%SQL_DATABASENAME%
For SQL events, the name of the SQL database used by the process
that initiated the change event.
%SQL_EVENTCLASS%
For SQL events, the SQL Server

performed.
operation (event class) that was
%SQL_EVENTSUBCLASS%
For SQL events, the type of event subclass that was performed.
%SQL_HOSTNAME%
For SQL events, the name of the client workstation that initiated the
session.
%SQL_INSTANCENAME%
For SQL events, the name of the SQL instance where the change
event occurred.
%SQL_ISSYSTEM%
For SQL events, indicates whether a system session initiated the

change.
%SQL_LINKEDSERVERNAME%
For SQL events, the name of the linked server.
%SQL_OBJECTID%
For SQL events, the object identifier associated with the SQL object
that was changed.
%SQL_OBJECTID2%
For SQL events, the object identifier of related objects or entities, if

available.
%SQL_OBJECTNAME%
For SQL events, the name of the SQL Server object that was changed.
%SQL_OBJECTTYPE%
For SQL events, the type of SQL Server object that was changed.
%SQL_OWNERID%
For SQL lock events, the type of object that owns a lock.
%SQL_OWNERNAME%
For SQL events, the database user name of the object owner.
%SQL_PARENTNAME%
For SQL events, the name of the schema in which the object that
changed resides.
%SQL_PROVIDERNAME%
For SQL events, the name of the OLEDB provider.
%SQL_ROWCOUNTS%
For SQL events, the number of rows returned by the SQL query.

User Guide
229

Email Tag:
Description:
%SQL_SESSIONLOGINNAME%
For SQL events, the SQL Server login name used by the client to
create the session.
%SQL_SPID%
For SQL events, the SQL Server Process ID associated with the process
that initiated the change.
%SQL_SUCCESS%
For SQL events, indicates whether the event was successful.
%SQL_TEXTDATA%
For SQL events, the character string used in the SQL query.
%SSLTLS%
For Active Directory or AD Query events, indicates whether the LDAP

operation or LDAP query is secured using SSL or TLS technology.
%SUBSYSTEMNAME%
The subsystem, or area of auditing, where the change event occurred

(e.g., Active Directory, Service, Group Policy).
%TIMEBATCHED%
The UTC date and time when the batch of events were sent from the
agent to coordinator.
%TIMEDETECTED%
The UTC date and time when the Change Auditor agent captured the
event.
%TIMEOFDAY%
The UTC time (no date) when the event the Change Auditor agent
captured the event.
%TIMERECEIVED%
The UTC date and time when the event was received by Change
Auditor.
%TIMEZONE%
The name of the time zone used for the alerts date/time stamps in
the email.
%TIMEZONETIMEDETECTED%
The date and time when the Change Auditor agent captured the
event, based on the selected time zone.
%TIMEZONETIMERECEIVED%
The date and time when the event was received by Change Auditor,
based on the selected time zone.
%USERADDRESS%
The machine name or IP address of the machine where the change

originated.
%USERADDRESSIPV4%
The IPv4 IP address of the machine where the change originated.
%USERADDRESSIPV6%
The IPv6 IP address of the machine where the change originated.
%USERDISPLAY%
The display name of the user who initiated the change.
%USERMAIL%
The email address of the user that initiated the change.
%USERNAME%
The NT4 logon name (domain\name) of the user who initiated the
change.
%USERSID%
The security identifier (SID) assigned to the user who initiated the
change.
%VALUENEW%
The new value that is now assigned to the object.
%VALUEOLD%
The old value that was assigned to the object.
%VMWARE_COMPUTERESOURCE%
For VMware events associated with compute resources, the name

of the compute resource where the change occurred.
%VMWARE_DATACENTER%
For VMware events, the name of the datacenter object where the
%VMWARE_DS%
For VMware events associated with datastore objects, the name of

the datastore where the change occurred.
%VMWARE_DVS%
For VMware events associated with a Distributed Virtual Switch

(DVS), the name of the DVS where the change occurred.
%VMWARE_HOST%
For VMware events, the name or IP address of the host being audited
(as specified in the VMware Auditing template).

User Guide
230

Email Tag:
Description:
%VMWARE_NET%
For VMware events, the name of the network object where the
change occurred.
%VMWARE_VM%
For VMware events, the name of the virtual machine where the
%VMWARE_VMWAREHOSTNAME%
For VMware events, the name of the host where the modification
occurred.
The event details defined in the Event Details tab are placed in the Main Body pane using the following tag:
%EVENT_DETAILS%
This tag should NOT be removed from the Main Body tab if you want to include the event details in the alert
emails.

User Guide
231
C
Change Auditor PowerShell Commands
Adding the PowerShell Module
Viewing available commands and help
Installing Change Auditor coordinators and web clients
Finding Change Auditor installations and coordinators
Connecting to and disconnecting from Change Auditor installations and coordinators
Gathering Change Auditor system information
Deploying Change Auditor agents

User Guide
232
Adding the PowerShell Module

Change Auditor comes with a PowerShell module for you to use to manage your environment. It is installed
when you install the Change Auditor client.
NOTE: Windows PowerShell version 3.0 or higher is required.
If you installed Windows PowerShell on your computer after you installed the Change Auditor client, you must
register the commands before you can start using them in Windows PowerShell.
To import the Change Auditor PowerShell module:
1
Open a Windows PowerShell window and type the following at the Windows PowerShell command
prompt:
Import-Module <path>
Where "<path>" is the file path for the Dell.ChangeAuditor.PowerShell.dll assembly found in the Change
Auditor client folder.
Type the following at the Windows PowerShell command prompt to ensure the module was added:
Get-Module -All
The registered PowerShell modules are listed.
Viewing available commands and help
To view all available Change Auditor commands, enter:

Get-Command -Module Dell.ChangeAuditor.PowerShell
To view help on each command including the syntax, enter:

get-help cmdletName
To view an interactive command browser that shows you the layout of commands as well as the help for
the commands, enter:
Show-Command cmdletName

User Guide
233
Installing Change Auditor coordinators and

web clients
The following commands allow you to install Change Auditor components.
Install-CACoordinator
Install-CAWebClient
Install-CACoordinator
Use this command to install locally a Change Auditor Coordinator.
Table 52. Available parameters
Parameter
Description
-MsiPath
The location to run the coordinator msi.
-SQLAuthDatabaseCredentials
SQL authentication credentials.
-DatabaseCredentials
Windows authentication credentials.
-DatabaseServer
The server where you want to install the database.
-LogPath
The local path on the computer where the installation log will be
written.
Example: Perform a local installation of a Change Auditor coordinator

Install-CACoordinator -MsiPath "C:\Users\Administrator\Desktop\Dell Change Auditor
Coordinator 6 (x64).msi" -SQLAuthDatabaseCredentials $dbcredentials -DatabaseServer
"MyDatabase"
-LogPath "C:\Users\Administrator\Desktop\Coordinator.log"
After running this command, the installed coordinator will have the installation name DEFAULT and look for or
create a database named ChangeAuditor.
Install-CAWebClient
Use this command to install locally the web client.
Parameter
Description
-MsiPath
The location to run the web client msi.
-CoordinatorConnection
A previously created connection from Connect-CAClient.
-LogPath
Local path on the computer for the installation log to be written.
Example: Install a web client

Install-CAWebClient -MsiPath "C:\Users\Administrator\Desktop\Dell Change Auditor
Web Client 6 (x64).msi" -CoordinatorConnection $connection -LogPath
"C:\Users\Administrator\Desktop\WebClientInstallationLog.log"

User Guide
234
Finding Change Auditor installations and

coordinators
The following commands allow you to find the Change Auditor installations and coordinators available in your
Active Directory environment. Once connected, you can run additional commands to manage the deployment.
NOTE: The installations and coordinators returned by the searches depends on your credentials and
domain trusts.
Find-CAInstallations
Find-CACoordinators
Find-CASuitableCoordinator
Find-CAInstallations
Use this command to search Active Directory for all available Change Auditor installations. The default is the
current computers forest, however, you can optionally specify a domain to search cross-forest for deployments.
Example: Find all Change Auditor installations in DomainName.com

Find-CAInstallations DomainName DomainName.com
Find-CACoordinators
Use this command to search Active Directory for all available coordinators. The default is the current computers
forest, however, you can optionally specify a domain to search cross-forest for deployments. This search returns
all the information required to connect to the coordinator including ports.
Example: Find all available coordinators in DomainName.com

Find-CACoordinators DomainName DomainName.com
Find-CASuitableCoordinator
Use this command to search Active Directory for a coordinator to which a connection can be made. The default
is the current computers forest, however, you can optionally specify a domain to search cross-forest for
deployments.
Example: Find a coordinator in DomainName.com domain that you have the credentials to
connect to
Find-CASuitableCoordinator DomainName DomainName.com
Example: Find a coordinator in DEFAULT installation that you have the credentials to connect
to
Find-CASuitableCoordinator InstallationName DEFAULT

User Guide
235
Connecting to and disconnecting from

Change Auditor installations and
coordinators
Connect-CAClient
Disconnect-CAClient
Connect-CAClient
Most Change Auditor commands require a connection to a coordinator which will then be passed to each
command. Change Auditor allows you to manage Change Auditor in the same forest or in a different forest from
a single Change Auditor client.
Use this command to create a connection object to use within a script. A default connection will be used
when one is not specified.
TIP: As a best practice, it is recommended to acquire a connection and use it for the entire script.
You can make multiple connections to different coordinators or deployments in the same script.
NOTE: Connections will be closed when the PowerShell session is ended or disconnected.
Table 54. Supported parameter sets that enable a connection

Example
Enter the following command:
Recommended: Connect to the installation

XYZ in the local forest.
Connect-CAClient InstallationName XYZ
NOTE: This will allow for fault tolerance if

you have numerous coordinators by selecting
the best option in the domain.
Connect to the first coordinator that you
have credentials to connect to.
$connection = Connect-CAClient
Connect to a specific coordinator by

computer name and port.
Connect-CAClient ComputerName cacord.DomainName.com Port 52289
Connect to the first suitable coordinator in

the domain DomainName.com.
Connect-CAClient DomainName DomainName.com
Connect to the first suitable coordinator in

the domain DomainName.com with an
installation name DEFAULT.
Connect-CAClient DomainName DomainName.com

InstallationName DEFAULT
Connect to a coordinator found from FindCACoordinators.
$coordinators = Find-CACoordinators DomainName

DomainName.com
$connection = Connect-CAClient
CoordinatorConnectionPoint $coordinators[0]

User Guide
236
Disconnect-CAClient
Use this command to disconnect from Change Auditor. (This is the equivalent of closing the Change Auditor
client.)
Example: Connect to a Change Auditor deployment, and then close the connection
$connection = Connect-CAClient DeploymentName DEFAULT
# perform some actions
Disconnect-CAClient $connection
Gathering Change Auditor system

information
You can gather Change Auditor system information to help you to manage your installation components.
Get-CACoordinator
Get-CACoordinators
Get-CAInstallation
Get-CAAgents
Get-CACoordinator
Use this command to retrieve coordinator-specific (as opposed to installation-wide) status information from the
connected coordinator such as coordinator name, status, deployment name, version, connected agents,
connected legacy agents, connected clients, client port, total events, and buffered events which may be
different on each coordinator.
Example: Gather coordinator information for a specified connection

Get-CACoordinator $connection
Get-CACoordinators
Use this command to gather information about all the coordinators in a Change Auditor installation.
Example: Gather coordinator information for all coordinators for a specified connection
Get-CACoordinators -Connection $connection
Get-CAInstallation
Use this command to retrieve installation-specific (as opposed to coordinator-specific) status information
including the name of the installation, database server, and database and the database size.
Example: Gather installation information for a specified connection

Get-CAInstallation $connection

User Guide
237
Get-CAAgents
Use this command to view information on all available agents.
NOTE: This will return information for workstation, server, and Domain Controller agents.
Parameter
Description
-Connection
A connection obtained by using the Connect-CAClient command.
Example: Viewing all available agents within a specific

Get-CAAgents -Connection $connection
Deploying Change Auditor agents

The following commands are available to manage your agent deployments.
NOTE: You must be a member of Administrators role to use these commands.
NOTE: Any changes affecting configuration are audited with internal events.
Install-CAAgent
Uninstall-CAAgent
Update-CAAgent
Install-CAAgent
Use this command to install an agent.
Parameter
Description
-Connection
-MachineName
The fully qualified name of a target computer.
-Credentials
Credentials used to access the target computer.
-OperationTime
Specifies when to perform this operation.

NOTE: If this is not specified, it will default to the current time.
Example: Install an agent

Install-CAAgent -Connection $connection -MachineName "ComputerName.DomainName.com" Credentials $credentials -OperationTime $time
Uninstall-CAAgent
Use this command to uninstall an agent.
Parameter
Description
-Connection
-MachineName
The fully qualified name of the target computer.

User Guide
238

Parameter
Description
-Credentials
-OperationTime

Example: Uninstall an agent

Uninstall-CAAgent -Connection $connection -MachineName "ComputerName.DomainName.com"
-Credentials $credentials -OperationTime $time
Update-CAAgent
Use this command to upgrade an agent.
Parameter
Description
-Connection
-Agent
The PSCAAgentInfo retrieved from the Get-CAAgents command.
-Credentials
-OperationTime

Example: Upgrade an agent

Update-CAAgent -Connection $connection -Agent $agent -Credentials $credentials

User Guide
239
About Dell
Dell listens to customers and delivers worldwide innovative technology, business solutions and services they
trust and value. For more information, visit www.software.dell.com.
Contacting Dell
Technical Support:
Online Support
Product Questions and Sales:
(800) 306-9329
Email:
info@software.dell.com
Technical Support Resources

Technical support is available to customers who have purchased Dell software with a valid maintenance
contract and to customers who have trial versions. To access the Support Portal, go to
http://software.dell.com/support/.
The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a
day, 365 days a year. In addition, the portal provides direct access to product support engineers through an
online Service Request system.
The site enables you to:
Create, update, and manage Service Requests (cases)
View Knowledge Base articles
Obtain product notifications
Download software. For trial software, go to Trial Downloads.
View how-to videos
Engage in community discussions
Chat with a support engineer

User Guide
240

Changeauditor User Manual

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Changeauditor User Manual

Diunggah oleh

Hak Cipta:

Format Tersedia

Dell Change Auditor 6.

Search Results grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46

Agent Configuration page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

SQL Reporting Services Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Change Auditor Agent Status dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Contacting Dell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

Dell Change Auditor 6.7

Dell Change Auditor for Active Directory

Dell Change Auditor for Exchange

Dell Change Auditor 6.7

Dell Change Auditor for Windows File Servers

Dell Change Auditor for EMC

Dell Change Auditor for NetApp

Dell Change Auditor for SQL Server

Dell Change Auditor for Active Directory Queries

Dell Change Auditor for SharePoint

access to content in SharePoint sites

modifications of content (creation, modification and deletion)

changes to permissions and security settings

Dell Change Auditor for Logon Activity

Dell Change Auditor for Lync

Dell Change Auditor for Cloud Storage

Dell Change Auditor for SonicWALL

Dell Change Auditor for Dell Authentication Services

Unix/Linux/Mac settings in Group Policy Objects

Dell Change Auditor for Defender

Dell Change Auditor for Active Directory User Guide

Dell Change Auditor for Active Directory Queries User Guide

Dell Change Auditor for EMC User Guide

Dell Change Auditor for Exchange User Guide

Dell Change Auditor for Logon Activity User Guide

Dell Change Auditor for NetApp User Guide

Dell Change Auditor for SharePoint User Guide

Dell Change Auditor for SonicWALL User Guide

Dell Change Auditor for SQL Server User Guide

Dell Change Auditor for Windows File Servers User Guide

Dell Change Auditor for Cloud Storage User Guide

Dell Change Auditor 6.7

Start the Change Auditor client

Manage connection profiles

Customize table content

Directory object picker

Start the Change Auditor client

The current authenticated user is a member of either the ChangeAuditor Administrators or

To open the Change Auditor client

Manage connection profiles

To define a new connection profile

On the Connection screen, click the Manage button.

forest than the client.

Dell Change Auditor 6.7

Table 1. Connection wizard

Select this option to connect to a Change Auditor service in an untrusted forest

Dell Change Auditor 6.7

Table 1. Connection wizard

Connection Profile Summary page

Change Auditor coordinator server/instance

Connection Profile Name

Enter a descriptive name to be assigned to the new connection profile.

Customize table content

Resize or move columns

Add or remove columns

Dell Change Auditor 6.7

To change the sort criteria:

Click on the column heading to be used for the sort criteria.